Forum Discussion
Hybrid AAD Join with non-routable UPNs on onpremise AD
Does Hybrid AAD Join support non-routable UPNs on local AD? The issue: all requirements for hybrid AAS Join are met except of routable UPNs on on-prem AD (no SF). Effect: device state is changing to ...
If the user is user@onmicrosoft.xyz.com, the answer, You can’t enroll it with GPO because it needs CNAME record in your DNS registrar to redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.
Hope this helps!
Moe
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll
Hope this helps!
Moe
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll
Moe_KinaniHi Moe, thanks for reply.
This requirement is met, domain on AAD is configured properly (all green). The user name on AAD includes the verified domain BUT on AD the UPN doesn't include a routable domain. The AD Connect synchronizes the identities. All this works well. Only MDM enrollment doesn't happen.
- As mentioned, this piece not going to work because the domain in not routable. Primary UPN/ ProxyAddress attribute needs to match the verified domain so Intune can can validate the request.
If xyz.com is verified domain->The synced user needs to be user@xyz.com, primary upn NOT alias.
MoeMoe_Kinani i can confirm that the only solution is to change all the on prem AD UPN's to a routable domain.
- Thanks, Th ms Vrhydn, when two guys are saying the same it must be truth!
- Thanks, Moe, for clarification. The docs are not clear enough - as devices are going to the hybrid state but MDM enrollment will not happen. Thanks again!
