Hybrid AAD Join with non-routable UPNs on onpremise AD

Iron Contributor

Does Hybrid AAD Join support non-routable UPNs on local AD? The issue: all requirements for hybrid AAS Join are met except of routable UPNs on on-prem AD (no SF). Effect: device state is changing to Hybrid but devices don’t enroll automatically to Intune MDM (GPO in place). Are routable UPNs required to enroll to MDM?

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
IsDeviceJoined : YES

IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
@Michael Niehaus- any idea what's wrong with the enrollment?
8 Replies
If the user is user@onmicrosoft.xyz.com, the answer, You can’t enroll it with GPO because it needs CNAME record in your DNS registrar to redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.

Hope this helps!
Moe

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll

@Moe_KinaniHi Moe, thanks for reply.

This requirement is met, domain on AAD is configured properly (all green). The user name on AAD includes the verified domain BUT on AD the UPN doesn't include a routable domain. The AD Connect synchronizes the identities. All this works well. Only MDM enrollment doesn't happen.

As mentioned, this piece not going to work because the domain in not routable. Primary UPN/ ProxyAddress attribute needs to match the verified domain so Intune can can validate the request.

If xyz.com is verified domain->The synced user needs to be user@xyz.com, primary upn NOT alias.

Moe

@Moe_Kinani i can confirm that the only solution is to change all the on prem AD UPN's to a routable domain. 

Thanks, Moe, for clarification. The docs are not clear enough - as devices are going to the hybrid state but MDM enrollment will not happen. Thanks again!
Thanks, Th ms Vrhydn, when two guys are saying the same it must be truth!

@Red Flag 
I know it is too late for your query (approx. 3 months late), but for future researchers:
It is possible to achieve Hybrid Join with non-routable UPN, as long as you can deploy ADFS as your authentiation method.

Source (look at the table on the end of this link):  https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Regards,
Rodrigo Dias

Hi @Rodrigo30Horas thanks, you'r right. However ADFS in my case is not on option. We try to simplify and modernize rather than go an opposite way - which ADFS would actually mean. Thanks for highlighting this method.