cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Hybrid AAD Join with non-routable UPNs on onpremise AD

Red Flag
Iron Contributor

‎Aug 05 2020 02:17 PM

‎Aug 05 2020 02:17 PM

Hybrid AAD Join with non-routable UPNs on onpremise AD

Does Hybrid AAD Join support non-routable UPNs on local AD? The issue: all requirements for hybrid AAS Join are met except of routable UPNs on on-prem AD (no SF). Effect: device state is changing to Hybrid but devices don’t enroll automatically to Intune MDM (GPO in place). Are routable UPNs required to enroll to MDM?

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
IsDeviceJoined : YES

IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision
@Michael Niehaus- any idea what's wrong with the enrollment?
4,186 Views
0 Likes
8 Replies
Reply
8 Replies
Moe_Kinani

‎Aug 05 2020 09:52 PM

‎Aug 05 2020 09:52 PM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

If the user is user@onmicrosoft.xyz.com, the answer, You can’t enroll it with GPO because it needs CNAME record in your DNS registrar to redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.

Hope this helps!
Moe

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll
0 Likes
Reply
Red Flag

‎Aug 06 2020 03:48 AM

‎Aug 06 2020 03:48 AM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

@Moe_KinaniHi Moe, thanks for reply.

This requirement is met, domain on AAD is configured properly (all green). The user name on AAD includes the verified domain BUT on AD the UPN doesn't include a routable domain. The AD Connect synchronizes the identities. All this works well. Only MDM enrollment doesn't happen.

0 Likes
Reply
Moe_Kinani

‎Aug 06 2020 04:31 AM

‎Aug 06 2020 04:31 AM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

As mentioned, this piece not going to work because the domain in not routable. Primary UPN/ ProxyAddress attribute needs to match the verified domain so Intune can can validate the request.

If xyz.com is verified domain->The synced user needs to be user@xyz.com, primary upn NOT alias.

Moe
1 Like
Reply
Th ms Vrhydn

‎Aug 06 2020 01:07 PM

‎Aug 06 2020 01:07 PM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

@Moe_Kinani i can confirm that the only solution is to change all the on prem AD UPN's to a routable domain. 

1 Like
Reply
Red Flag

‎Aug 06 2020 01:24 PM

‎Aug 06 2020 01:24 PM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

Thanks, Moe, for clarification. The docs are not clear enough - as devices are going to the hybrid state but MDM enrollment will not happen. Thanks again!
0 Likes
Reply
Red Flag

‎Aug 06 2020 01:28 PM

‎Aug 06 2020 01:28 PM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

Thanks, Th ms Vrhydn, when two guys are saying the same it must be truth!
0 Likes
Reply
Rodrigo30Horas

‎Sep 24 2020 07:01 AM

‎Sep 24 2020 07:01 AM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

@Red Flag 
I know it is too late for your query (approx. 3 months late), but for future researchers:
It is possible to achieve Hybrid Join with non-routable UPN, as long as you can deploy ADFS as your authentiation method.

Source (look at the table on the end of this link):  https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Regards,
Rodrigo Dias

0 Likes
Reply
Red Flag

‎Sep 24 2020 07:10 AM

‎Sep 24 2020 07:10 AM

Re: Hybrid AAD Join with non-routable UPNs on onpremise AD

Hi @Rodrigo30Horas thanks, you'r right. However ADFS in my case is not on option. We try to simplify and modernize rather than go an opposite way - which ADFS would actually mean. Thanks for highlighting this method.

0 Likes
Reply