cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can't do Azure AD Hybrid Join - help needed

John Quile
Brass Contributor

‎Jun 29 2020 06:46 AM

‎Jun 29 2020 06:46 AM

Can't do Azure AD Hybrid Join - help needed

I am simply trying to get Azure AD Hybrid join to work so I can manage our laptops via Azure InTune.
We have an on-prem AD and we use Okta for our authentication of users to Azure/O365.
The lack of details and support form both vendors is astounding and only thing holding us back from giving people our money.

I ran the configuration in Azure AD Connect client to do device joining and the SCP page gave me 2 options: ourdomain.okta.com or Azure AD. I chose the Okta one. Nothing else stood out as odd in the wizard.

Thereafter I'm still not sure what to do. I check my computer's event logs and it gives me this error under Applications and Service Logs > Microsoft > Windows > User Device Registration > Admin:

> Automatic registration failed at authentication phase. Unable to acquire access token.
> Exit code: Unknown HResult Error code: 0x801c0515
> Tenant Name: ourdomain.com.com
> Tenant Type: Federated
> Server error:
> AdalMessage: ADALUseWindowsAuthenticationTenant failed, unable to preform integrated auth
> AdalErrorCode: 0x2ee6
> AdalCorrelationId: undefined
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: AggregatedTokenRequest::GetAppliesTo: using resource ID "urn:federation:MicrosoftOnline" for authority "https://login.microsoftonline.com/common". ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
> AdalLog: HRESULT: 0x4aa90010
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
> AdalLog: Authority validation is completed ; HRESULT: 0x0
> AdalLog: Authority validation is enabled ; HRESULT: 0x0
> AdalLog: Token is not available in the cache ; HRESULT: 0x0

5,951 Views
0 Likes
4 Replies
Reply
4 Replies
Moe_Kinani

‎Jun 29 2020 07:17 PM

‎Jun 29 2020 07:17 PM

Re: Can't do Azure AD Hybrid Join - help needed

Hi John,

Do you have AD Connect configured in your environment? You need to sync your users/ PCs from AD Connect so you can have them Hybrid Joined.

I don’t use Okta, is there limitation that you can’t use AD Connect with Okta at the same time?

Hope this helps!
Moe
0 Likes
Reply
Jgq85

‎Jun 29 2020 08:22 PM

‎Jun 29 2020 08:22 PM

Re: Can't do Azure AD Hybrid Join - help needed

Hi @Moe_Kinani ,

Yes I've got the AD Connect in the environment. 

Problem is there's no direction from MS or Okta on what to choose for the SCP.

I believe that is why I see the error log in my original post. 

It gives me two options:

  • ourdomain.okta.com
  • Azure Active Directory

I wonder if I should choose "Azure Active Directory" instead of ourdomain.okta.com??

 

Jgq85_0-1593487349998.png

 

 

0 Likes
Reply
Moe_Kinani

‎Jun 29 2020 08:44 PM

‎Jun 29 2020 08:44 PM

Re: Can't do Azure AD Hybrid Join - help needed

Check my response to your thread inAzure AD community-

Let me know if you have any questions!
Moe

https://techcommunity.microsoft.com/t5/azure-active-directory/hybrid-ad-join-with-okta-scp-possible-...
0 Likes
Reply
Phill198

‎Jun 13 2023 08:04 PM

‎Jun 13 2023 08:04 PM

Re: Can't do Azure AD Hybrid Join - help needed

Just want to reply to this as the information provided below isn't accurate.

If Azure AD is federated into Okta you need to select Okta as the authentication service rather than AAD when doing the SCP in AAD Connect.

If there is no federation you need to select AAD.

I have a similar issue to you, did you manage to solve it in the end?

0 Likes
Reply