Forum Discussion

Red Flag's avatar
Red Flag
Iron Contributor
Aug 05, 2020

Hybrid AAD Join with non-routable UPNs on onpremise AD

Does Hybrid AAD Join support non-routable UPNs on local AD? The issue: all requirements for hybrid AAS Join are met except of routable UPNs on on-prem AD (no SF). Effect: device state is changing to ...
Intune
Mobile Device Management (MDM)
Red Flag's avatar
Red Flag
Iron Contributor

Moe_KinaniHi Moe, thanks for reply.

This requirement is met, domain on AAD is configured properly (all green). The user name on AAD includes the verified domain BUT on AD the UPN doesn't include a routable domain. The AD Connect synchronizes the identities. All this works well. Only MDM enrollment doesn't happen.

Moe_Kinani's avatar
Moe_Kinani
Bronze Contributor
Aug 06, 2020
As mentioned, this piece not going to work because the domain in not routable. Primary UPN/ ProxyAddress attribute needs to match the verified domain so Intune can can validate the request.

If xyz.com is verified domain->The synced user needs to be user@xyz.com, primary upn NOT alias.

Moe
  • Th ms Vrhydn's avatar
    Th ms Vrhydn
    Copper Contributor
    Aug 06, 2020

    Moe_Kinani i can confirm that the only solution is to change all the on prem AD UPN's to a routable domain. 

    • Red Flag's avatar
      Red Flag
      Iron Contributor
      Aug 06, 2020
      Thanks, Th ms Vrhydn, when two guys are saying the same it must be truth!
  • Red Flag's avatar
    Red Flag
    Iron Contributor
    Aug 06, 2020
    Thanks, Moe, for clarification. The docs are not clear enough - as devices are going to the hybrid state but MDM enrollment will not happen. Thanks again!

Resources