Can't do Azure AD Hybrid Join - help needed

%3CLINGO-SUB%20id%3D%22lingo-sub-1496038%22%20slang%3D%22en-US%22%3ECan't%20do%20Azure%20AD%20Hybrid%20Join%20-%20help%20needed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496038%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20simply%20trying%20to%20get%20Azure%20AD%20Hybrid%20join%20to%20work%20so%20I%20can%20manage%20our%20laptops%20via%20Azure%20InTune.%3CBR%20%2F%3EWe%20have%20an%20on-prem%20AD%20and%20we%20use%20Okta%20for%20our%20authentication%20of%20users%20to%20Azure%2FO365.%3CBR%20%2F%3EThe%20lack%20of%20details%20and%20support%20form%20both%20vendors%20is%20astounding%20and%20only%20thing%20holding%20us%20back%20from%20giving%20people%20our%20money.%3C%2FP%3E%3CP%3EI%20ran%20the%20configuration%20in%20Azure%20AD%20Connect%20client%20to%20do%20device%20joining%20and%20the%20SCP%20page%20gave%20me%202%20options%3A%20ourdomain.okta.com%20or%20Azure%20AD.%20I%20chose%20the%20Okta%20one.%20Nothing%20else%20stood%20out%20as%20odd%20in%20the%20wizard.%3CBR%20%2F%3E%3CBR%20%2F%3EThereafter%20I'm%20still%20not%20sure%20what%20to%20do.%20I%20check%20my%20computer's%20event%20logs%20and%20it%20gives%20me%20this%20error%20under%20Applications%20and%20Service%20Logs%20%26gt%3B%20Microsoft%20%26gt%3B%20Windows%20%26gt%3B%20User%20Device%20Registration%20%26gt%3B%20Admin%3A%3C%2FP%3E%3CP%3E%26gt%3B%20Automatic%20registration%20failed%20at%20authentication%20phase.%20Unable%20to%20acquire%20access%20token.%3CBR%20%2F%3E%26gt%3B%20Exit%20code%3A%20Unknown%20HResult%20Error%20code%3A%200x801c0515%3CBR%20%2F%3E%26gt%3B%20Tenant%20Name%3A%20ourdomain.com.com%3CBR%20%2F%3E%26gt%3B%20Tenant%20Type%3A%20Federated%3CBR%20%2F%3E%26gt%3B%20Server%20error%3A%3CBR%20%2F%3E%26gt%3B%20AdalMessage%3A%20ADALUseWindowsAuthenticationTenant%20failed%2C%20unable%20to%20preform%20integrated%20auth%3CBR%20%2F%3E%26gt%3B%20AdalErrorCode%3A%200x2ee6%3CBR%20%2F%3E%26gt%3B%20AdalCorrelationId%3A%20undefined%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20HRESULT%3A%200x2ee6%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20HRESULT%3A%200x2ee6%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20HRESULT%3A%200x2ee6%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20AggregatedTokenRequest%3A%3AGetAppliesTo%3A%20using%20resource%20ID%20%22urn%3Afederation%3AMicrosoftOnline%22%20for%20authority%20%22%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%3C%2FA%3E%22.%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20AggregatedTokenRequest%3A%3AUseWindowsIntegratedAuth-%20received%20realm%20info%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20HRESULT%3A%200x4aa90010%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20AggregatedTokenRequest%3A%3AUseWindowsIntegratedAuth%20w%20Tenant%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20AggregatedTokenRequest%3A%3AAcquireToken-%20returns%20false%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20AggregatedTokenRequest%3A%3AAcquireToken-%20refresh%20token%20is%20not%20available%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20AggregatedTokenRequest%3A%3AAcquireToken%20get%20refresh%20token%20info%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20Authority%20validation%20is%20completed%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20Authority%20validation%20is%20enabled%20%3B%20HRESULT%3A%200x0%3CBR%20%2F%3E%26gt%3B%20AdalLog%3A%20Token%20is%20not%20available%20in%20the%20cache%20%3B%20HRESULT%3A%200x0%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1496038%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1497466%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20do%20Azure%20AD%20Hybrid%20Join%20-%20help%20needed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497466%22%20slang%3D%22en-US%22%3EHi%20John%2C%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20have%20AD%20Connect%20configured%20in%20your%20environment%3F%20You%20need%20to%20sync%20your%20users%2F%20PCs%20from%20AD%20Connect%20so%20you%20can%20have%20them%20Hybrid%20Joined.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don%E2%80%99t%20use%20Okta%2C%20is%20there%20limitation%20that%20you%20can%E2%80%99t%20use%20AD%20Connect%20with%20Okta%20at%20the%20same%20time%3F%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1497521%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20do%20Azure%20AD%20Hybrid%20Join%20-%20help%20needed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497521%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EYes%20I've%20got%20the%20AD%20Connect%20in%20the%20environment.%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%20is%20there's%20no%20direction%20from%20MS%20or%20Okta%20on%20what%20to%20choose%20for%20the%20SCP.%3C%2FP%3E%3CP%3EI%20believe%20that%20is%20why%20I%20see%20the%20error%20log%20in%20my%20original%20post.%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20gives%20me%20two%20options%3A%3C%2FP%3E%3CUL%3E%3CLI%3Eourdomain.okta.com%3C%2FLI%3E%3CLI%3EAzure%20Active%20Directory%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20wonder%20if%20I%20should%20choose%20%22Azure%20Active%20Directory%22%20instead%20of%20ourdomain.okta.com%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Jgq85_0-1593487349998.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202076i76F320007EA8CDE3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Jgq85_0-1593487349998.png%22%20alt%3D%22Jgq85_0-1593487349998.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1497534%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20do%20Azure%20AD%20Hybrid%20Join%20-%20help%20needed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497534%22%20slang%3D%22en-US%22%3ECheck%20my%20response%20to%20your%20thread%20inAzure%20AD%20community-%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20know%20if%20you%20have%20any%20questions!%3CBR%20%2F%3EMoe%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory%2Fhybrid-ad-join-with-okta-scp-possible-how%2Fm-p%2F1492713%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory%2Fhybrid-ad-join-with-okta-scp-possible-how%2Fm-p%2F1492713%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor

I am simply trying to get Azure AD Hybrid join to work so I can manage our laptops via Azure InTune.
We have an on-prem AD and we use Okta for our authentication of users to Azure/O365.
The lack of details and support form both vendors is astounding and only thing holding us back from giving people our money.

I ran the configuration in Azure AD Connect client to do device joining and the SCP page gave me 2 options: ourdomain.okta.com or Azure AD. I chose the Okta one. Nothing else stood out as odd in the wizard.

Thereafter I'm still not sure what to do. I check my computer's event logs and it gives me this error under Applications and Service Logs > Microsoft > Windows > User Device Registration > Admin:

> Automatic registration failed at authentication phase. Unable to acquire access token.
> Exit code: Unknown HResult Error code: 0x801c0515
> Tenant Name: ourdomain.com.com
> Tenant Type: Federated
> Server error:
> AdalMessage: ADALUseWindowsAuthenticationTenant failed, unable to preform integrated auth
> AdalErrorCode: 0x2ee6
> AdalCorrelationId: undefined
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: AggregatedTokenRequest::GetAppliesTo: using resource ID "urn:federation:MicrosoftOnline" for authority "https://login.microsoftonline.com/common". ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
> AdalLog: HRESULT: 0x4aa90010
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
> AdalLog: Authority validation is completed ; HRESULT: 0x0
> AdalLog: Authority validation is enabled ; HRESULT: 0x0
> AdalLog: Token is not available in the cache ; HRESULT: 0x0

3 Replies
Hi John,

Do you have AD Connect configured in your environment? You need to sync your users/ PCs from AD Connect so you can have them Hybrid Joined.

I don’t use Okta, is there limitation that you can’t use AD Connect with Okta at the same time?

Hope this helps!
Moe

Hi @Moe_Kinani ,

Yes I've got the AD Connect in the environment. 

Problem is there's no direction from MS or Okta on what to choose for the SCP.

I believe that is why I see the error log in my original post. 

It gives me two options:

  • ourdomain.okta.com
  • Azure Active Directory

I wonder if I should choose "Azure Active Directory" instead of ourdomain.okta.com??

 

Jgq85_0-1593487349998.png

 

 

Check my response to your thread inAzure AD community-

Let me know if you have any questions!
Moe

https://techcommunity.microsoft.com/t5/azure-active-directory/hybrid-ad-join-with-okta-scp-possible-...