Intune enrollment creates new Azure AD object

RNalivaika · ‎Aug 03 2021

Hi, we have Azure AD Hybrid joined devices, we want to enroll them to Intune. Upon testing with a subset of devices, we observe that intune enrolled devices become duplicates with their own/new object ID. Is this by design, or some configuration issue? See sample screenshot belov. Ruslan

Henrixx · ‎Aug 03 2021

@RNalivaika launch dsregcmd /status on one of the clients and take a look for the PRT (primary refresh token). Also, are you scoping users for auto enrollment? As soon as you HAADJ devices and use the WPJ options for the intune enrollment, this issue may happen. We encountered the same.

Rudy_Ooms_MVP · ‎Aug 03 2021

Hi, how long did you wait after you have noticed this? I have seen it in the past a couple times but the next day the were somehow "merged"

RNalivaika · ‎Aug 03 2021

@Henrixx do you mean this PRT?
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2021-08-03 18:25:21.000 UTC
AzureAdPrtExpiryTime : 2021-08-17 18:25:30.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/f4b9822c-3c52-41ba-85d0-c9fc9ef75aa9
EnterprisePrt : NO

We use MDM user scope with a group containing the pilot users who use the machines we want to enroll.

RNalivaika · ‎Aug 03 2021

we've waited for 6 days now, but the devices are still duplicate.. I've heard before about devices merging after a day or two, I wonder what triggers it or what can cause the merging fail...

Henrixx · ‎Aug 04 2021

Thanks, so you got the PRT - thats good.
Next, lets check some additional questions:
- how do you perform the HAADJ? Manually or using a GPO? -if a GPO is used, are you using MDM (Device Credentials or User Credentials)?
- I guess you are using mail as UPN?
- If you check Intune, do you see these devices as corp enrolled or personal enrolled?
- What OS are you on? especially the PCs you use for the pilot?

RNalivaika · ‎Aug 04 2021

@Henrixx thanks for following up. Devices are HAAD joined using Azure AD Connect device sync.

Yes, UPN used for login to O365 is the same as primary SMTP.

In intune, these devices first appear as personal, I change them to corporate owned. This is probably because pilot users enrolled them using logon to work or school.

We are on Windows 10 20H2 and 21H1. BR- Ruslan

Henrixx · ‎Aug 04 2021

the AAD connect will only create the Object in AAD. Its sitting in a pending status until you tell the Computer to do the hybrid join. Through GPO or dsregcmd /join command.

The second info, is kinda what I referred to regarding mdm auto enrollment. Using Work or school account will just cause what you are experiencing right now. There is a chance that the objects in AAD will merge themselves over a couple days, but doesnt have to, and there is no way you can force that.

christian_capellan · ‎Dec 01 2021

Was this issue ever resolved? I'm having a similar issue where the Azure AD registered device is duplicated when the user enrolls into MDM. What's worse is that the device identifies as the non-compliant registered instance instead of the MDM enrolled object, so conditional access doesn't work.

RNalivaika · ‎Dec 06 2021

I never got that resolved, so still using sccm instead of intune...

Intune enrollment creates new Azure AD object

Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Re: Intune enrollment creates new Azure AD object

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Intune enrollment creates new Azure AD object