Aug 05 2020 02:17 PM
Does Hybrid AAD Join support non-routable UPNs on local AD? The issue: all requirements for hybrid AAS Join are met except of routable UPNs on on-prem AD (no SF). Effect: device state is changing to Hybrid but devices don’t enroll automatically to Intune MDM (GPO in place). Are routable UPNs required to enroll to MDM?
Aug 05 2020 09:52 PM
Aug 06 2020 03:48 AM
@Moe_KinaniHi Moe, thanks for reply.
This requirement is met, domain on AAD is configured properly (all green). The user name on AAD includes the verified domain BUT on AD the UPN doesn't include a routable domain. The AD Connect synchronizes the identities. All this works well. Only MDM enrollment doesn't happen.
Aug 06 2020 04:31 AM
Aug 06 2020 01:07 PM
@Moe_Kinani i can confirm that the only solution is to change all the on prem AD UPN's to a routable domain.
Aug 06 2020 01:24 PM
Aug 06 2020 01:28 PM
Sep 24 2020 07:01 AM
@Red Flag
I know it is too late for your query (approx. 3 months late), but for future researchers:
It is possible to achieve Hybrid Join with non-routable UPN, as long as you can deploy ADFS as your authentiation method.
Source (look at the table on the end of this link): https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
Regards,
Rodrigo Dias
Sep 24 2020 07:10 AM
Hi @Rodrigo30Horas thanks, you'r right. However ADFS in my case is not on option. We try to simplify and modernize rather than go an opposite way - which ADFS would actually mean. Thanks for highlighting this method.