Controlled validation of hybrid Azure AD join

Stuart King · ‎Mar 25 2020

Hi All

Not sure if this should be here or in the Azure AD section.

I'm looking to implement a Controlled validation of Hybrid Azure AD Join / Auto enrollment in Intune via GPO, using the MS guide below as a reference:

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control

My questions are:

Do I set the GPO to my test deployment OU
Do I simply remove the GPO from my test deployment OU on successful testing

Would like to hear from anyone who has implemented this

Regards

Thijs Lecomte · ‎Mar 27 2020

From my experience, I just create registry keys and assign them to the devices.

If you are done testing, would you like to remove these devices from AAD/Intune or add all devices to AAD?

Stuart King · ‎Mar 27 2020

@Thijs Lecomte

Hi Buddy

What I would like to do is:

Hybrid Azure AD Join my devices in my TEST / PILOT / UAT group only
Once successful
Apply to the whole on-premise AD domain / devices

Regards

Thijs Lecomte · ‎Mar 27 2020

@Stuart King

This is the way I do it:

- Create GPO with registry edits and apply to test OU

- If succesfull, delete GPO

- Assign domain wide policy through AAD connect (https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains)

BTW: best make sure all the computers are W10 1803 in order to avoid dual state (https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-cont...)

Stuart King · ‎Mar 28 2020

@Thijs Lecomte

Hi Buddy

So the process would be:

Controlled Hybrid Azure AD Join on Test OU
Then once successful
Configure AADC

In essence, DO NOT TOUCH AADC until Controlled Hybrid Azure AD Join is verified OK?

Regards

Thijs Lecomte · ‎Mar 30 2020

@Stuart King that's correct :)

let me know how it goes!

Stuart King · ‎Apr 06 2020

@Thijs Lecomte

Sorry, I did mention before about applying the Controlled Hybrid GPO to the test OU BEFORE touching AADC, but I assume the TEST OU must be included in the AADC sync with the syncing of devices as per below?

Thijs Lecomte · ‎Apr 06 2020

Yes, the OU needs to be sync'ed

This doesn't enable Hybrid join by itself

Stuart King · ‎Apr 06 2020

@Thijs Lecomte

Do the devices need to be in a group or is the OU sufficient for the Controlled Hybrid test?

Regards

Thijs Lecomte · ‎Apr 06 2020

Dependant on how you configure the GPO
If you put the GPO on a OU, than a OU is sufficient

Stuart King · ‎Apr 06 2020

@Thijs Lecomte

Excellent thanks, testing now.

Stuart King · ‎Apr 06 2020

@Thijs Lecomte

Applied GPO to OU and OU to sync, still no device in AAD.

Am I missing something?

Thijs Lecomte · ‎Apr 06 2020

@Stuart King

Could you troubleshoot it using this article? https://365bythijs.be/2019/11/02/troubleshooting-hybrid-azure-ad-join/

Controlled validation of hybrid Azure AD join

Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Re: Controlled validation of hybrid Azure AD join

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Controlled validation of hybrid Azure AD join