AD Connect Alternate ID + Intune Auto Enrollment

%3CLINGO-SUB%20id%3D%22lingo-sub-2989024%22%20slang%3D%22en-US%22%3EAD%20Connect%20Alternate%20ID%20%2B%20Intune%20Auto%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2989024%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20a%20client%20is%20using%26nbsp%3BMultiple%20forests%3A%20account-resource%20forest%20AD%20Connect%20topology.%20When%20AD%20Connect%20was%20setup%20the%20Alternate%20ID%20was%20set%20to%20use%20the%20mail%20attribute%20as%20the%20UPN%20in%20Azure%20AD.%20So%20the%20users%20on-prem%20UPN%20is%26nbsp%3B%3CA%20href%3D%22mailto%3Auser%40domainA.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Euser%40domainA.com%3C%2FA%3E%26nbsp%3Band%20in%20Azure%20AD%20it%20is%20%3CA%20href%3D%22mailto%3Auser%40domainB.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Euser%40domainB.com%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20setup%20up%20Hybrid%20AD%20Joined%20Devices%20to%20auto%20enroll%20in%20Intune%20using%20GPO.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20I%20am%20coming%20across%20is%20that%20when%20they%20log%20onto%20the%20Hybrid%20AD%20Joined%20device%20they%20are%20using%20the%20account%20with%20the%20on-prem%20UPN%20which%20doesn't%20match%20the%20UPN%20in%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edsregcmd%20%2Fstatus%20is%20showing%3C%2FP%3E%3CP%3EIsUserAzureAD%3A%20NO%3C%2FP%3E%3CP%3ESSO%20Stated%20AzureADPrt%3A%20No%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20the%20device%20isn't%20able%20to%20enroll%20in%20Intune%20because%20the%20users%20UPNs%20do%20not%20match.%3C%2FP%3E%3CP%3EHas%20anyone%20come%20across%20this%20before%20and%20found%20a%20solution%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20of%20using%20Azure%20AD%20Alternant%20login%2C%20but%20Hybrid%20AD%20Joined%20devices%20is%20not%20supported.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-use-email-signin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign-in%20to%20Azure%20AD%20with%20email%20as%20an%20alternate%20login%20ID%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2989024%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Regular Visitor

Hello,

 

Currently a client is using Multiple forests: account-resource forest AD Connect topology. When AD Connect was setup the Alternate ID was set to use the mail attribute as the UPN in Azure AD. So the users on-prem UPN is user@domainA.com and in Azure AD it is user@domainB.com

 

I am trying to setup up Hybrid AD Joined Devices to auto enroll in Intune using GPO. 

 

The issue I am coming across is that when they log onto the Hybrid AD Joined device they are using the account with the on-prem UPN which doesn't match the UPN in Azure AD. 

 

dsregcmd /status is showing

IsUserAzureAD: NO

SSO Stated AzureADPrt: No

 

So the device isn't able to enroll in Intune because the users UPNs do not match.

Has anyone come across this before and found a solution?

 

I thought of using Azure AD Alternant login, but Hybrid AD Joined devices is not supported.

Sign-in to Azure AD with email as an alternate login ID | Microsoft Docs

 

Thanks,

 

0 Replies