Can't do Azure AD Hybrid Join - help needed

Contributor

I am simply trying to get Azure AD Hybrid join to work so I can manage our laptops via Azure InTune.
We have an on-prem AD and we use Okta for our authentication of users to Azure/O365.
The lack of details and support form both vendors is astounding and only thing holding us back from giving people our money.

I ran the configuration in Azure AD Connect client to do device joining and the SCP page gave me 2 options: ourdomain.okta.com or Azure AD. I chose the Okta one. Nothing else stood out as odd in the wizard.

Thereafter I'm still not sure what to do. I check my computer's event logs and it gives me this error under Applications and Service Logs > Microsoft > Windows > User Device Registration > Admin:

> Automatic registration failed at authentication phase. Unable to acquire access token.
> Exit code: Unknown HResult Error code: 0x801c0515
> Tenant Name: ourdomain.com.com
> Tenant Type: Federated
> Server error:
> AdalMessage: ADALUseWindowsAuthenticationTenant failed, unable to preform integrated auth
> AdalErrorCode: 0x2ee6
> AdalCorrelationId: undefined
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: AggregatedTokenRequest::GetAppliesTo: using resource ID "urn:federation:MicrosoftOnline" for authority "https://login.microsoftonline.com/common". ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
> AdalLog: HRESULT: 0x4aa90010
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
> AdalLog: Authority validation is completed ; HRESULT: 0x0
> AdalLog: Authority validation is enabled ; HRESULT: 0x0
> AdalLog: Token is not available in the cache ; HRESULT: 0x0

3 Replies
Hi John,

Do you have AD Connect configured in your environment? You need to sync your users/ PCs from AD Connect so you can have them Hybrid Joined.

I don’t use Okta, is there limitation that you can’t use AD Connect with Okta at the same time?

Hope this helps!
Moe

Hi @Moe_Kinani ,

Yes I've got the AD Connect in the environment. 

Problem is there's no direction from MS or Okta on what to choose for the SCP.

I believe that is why I see the error log in my original post. 

It gives me two options:

  • ourdomain.okta.com
  • Azure Active Directory

I wonder if I should choose "Azure Active Directory" instead of ourdomain.okta.com??

 

Jgq85_0-1593487349998.png

 

 

Check my response to your thread inAzure AD community-

Let me know if you have any questions!
Moe

https://techcommunity.microsoft.com/t5/azure-active-directory/hybrid-ad-join-with-okta-scp-possible-...