AD Connect Alternate ID + Intune Auto Enrollment

Copper Contributor



Currently a client is using Multiple forests: account-resource forest AD Connect topology. When AD Connect was setup the Alternate ID was set to use the mail attribute as the UPN in Azure AD. So the users on-prem UPN is and in Azure AD it is


I am trying to setup up Hybrid AD Joined Devices to auto enroll in Intune using GPO. 


The issue I am coming across is that when they log onto the Hybrid AD Joined device they are using the account with the on-prem UPN which doesn't match the UPN in Azure AD. 


dsregcmd /status is showing

IsUserAzureAD: NO

SSO Stated AzureADPrt: No


So the device isn't able to enroll in Intune because the users UPNs do not match.

Has anyone come across this before and found a solution?


I thought of using Azure AD Alternant login, but Hybrid AD Joined devices is not supported.

Sign-in to Azure AD with email as an alternate login ID | Microsoft Docs




2 Replies
I think you have answered your own question. The UPNs need to match to enroll the devices into Intune but I guess you wouldn't create this topic just for fun. So, why are your UPNs not matching?

Hi @jdavis92,

This feature isn’t supported ‘enrolling Hybrid AAD join using GPO’, not sure if ever be supported.

I agree with my colleague above and my advice is matching the identity between the two environments, you don’t want to add more complexity to already complicated scenario (Mismatch Identity + Hybrid AD Join).

Hope this helps!