Forum Discussion
Double entries in userCertificate avoids Hybrid Join
Hey guys,
I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain.
So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra.
Here comes the issue. In some cases we see that some computers will create two userCertificate entries.
This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one.
Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work.
I want to understand, which process or scenario might create the double userCertificate entries?
When a machine is trying to join Hybrid Azure AD, it requires a valid userCertificate to authenticate. The Automatic-Device-Join task creates this certificate on the OnPremises computer object, which is then synchronized to Azure AD (Entra). However, if the system creates two certificates under the userCertificate attribute, the Hybrid Join fails due to the ambiguity of which certificate is correct for the process
As you already identified, removing both certificates manually and letting the system recreate the correct certificate with the next join is a viable fix.
Investigating the Task Execution: Review the logs for the Automatic-Device-Join task to see if it’s being triggered multiple times or at an incorrect stage.
Ensure Correct Sync Timing: Confirm that the synchronization between the on-premises AD and Azure AD is configured correctly, and no premature syncs are happening.
Best Regards,
Ali Koc
