AD Connect Alternate ID + Intune Auto Enrollment

Regular Visitor



Currently a client is using Multiple forests: account-resource forest AD Connect topology. When AD Connect was setup the Alternate ID was set to use the mail attribute as the UPN in Azure AD. So the users on-prem UPN is and in Azure AD it is


I am trying to setup up Hybrid AD Joined Devices to auto enroll in Intune using GPO. 


The issue I am coming across is that when they log onto the Hybrid AD Joined device they are using the account with the on-prem UPN which doesn't match the UPN in Azure AD. 


dsregcmd /status is showing

IsUserAzureAD: NO

SSO Stated AzureADPrt: No


So the device isn't able to enroll in Intune because the users UPNs do not match.

Has anyone come across this before and found a solution?


I thought of using Azure AD Alternant login, but Hybrid AD Joined devices is not supported.

Sign-in to Azure AD with email as an alternate login ID | Microsoft Docs




0 Replies