Troubleshooting hybrid Azure AD errors during Windows 365 Cloud PC provisioning
Published Aug 03 2021 09:00 AM 15.7K Views

With Windows 365, you can automatically provision Windows virtual machines (Cloud PCs) and manage them alongside your organization’s other devices in Microsoft Endpoint Manager. A prerequisite for using Cloud PCs is that the devices must be hybrid Azure Active Directory (Azure AD) joined.

Some organizations may need to configure new hybrid Azure AD environments to accommodate Cloud PCs, while others can utilize their existing hybrid Azure AD environments to connect their on-premises resources and cloud-based services. If you have an existing environment, you may need to modify your hybrid Azure AD configuration to successfully provision Cloud PCs.

This article outlines scenarios and troubleshooting guidance for provisioning failures related to hybrid Azure AD. When encountering these scenarios, you’ll see an error message similar to the following screenshot:

StevenDeQuincey_7-1628005637961.png

Note: This article applies only to hybrid Azure AD joined devices, which is a requirement for Cloud PC. Azure AD join support is not yet available for Cloud PC.

Scenario 1: The SCP record is missing.

Azure AD Connect synchronizes computer objects. The computer knows which Azure AD domain to register with by looking for a service connection point (SCP) object in Active Directory. You can find these in the ADSI Edit tool, under Configuration > Services > Device Registration Configuration. You will see a GUID and in that record a multistring value with your Azure AD tenant name and GUID.

StevenDeQuincey_8-1628005637979.png

If they are missing, you can create them with Azure AD Connect during the hybrid configuration process.

StevenDeQuincey_9-1628005637994.png

There may be scenarios where you only want specific computers from an individual organizational unit (OU) to perform hybrid Azure AD join. To do this, skip the SCP record creation and instead create a custom Group Policy Object (GPO) and link it to the OU in which your Cloud PC is located. In the GPO, you will need to create two registry keys with the value names TenantId and TenantName, as shown in the following example.

StevenDeQuincey_10-1628005637998.png

For more details on this method, see Controlled validation of hybrid Azure AD join.

Scenario 2: The OU that you added your Cloud PCs to isn’t in the scope of your Azure AD Connect synchronization.

If you created a new OU for your Cloud PCs, it may not be included yet. As a result, you'll need to go back into Azure AD Connect and include it in the synchronization rules. For detailed instructions, see Customize an installation of Azure AD Connect.

StevenDeQuincey_11-1628005638004.png

Scenario 3: Azure AD synchronization and replication cause delays.

The Cloud PC provisioning process times out after 90 minutes, and your environment might be configured to introduce unwanted delays. Let’s discuss two scenarios where this occurs: synchronization and replication.

Azure AD synchronization interval

The default Azure AD Connect sync interval is every 30 minutes. The time it takes to complete the synchronization process depends on the number of objects Azure AD Connect is processing.

To prevent your Cloud PCs from timing out, you need to make sure that sync interval and sync time are, combined, less than 90 minutes. First, confirm that your sync service is running and that its interval hasn’t been extended, for example, to every two hours. For instructions, see Azure AD Connect sync: Scheduler. Next, if you are synchronizing a lot of objects, review this document to learn how to optimize your  environment: Factors influencing the performance of Azure AD Connect.

Active Directory Domain Services inter-site replication

Consider this Active Directory Domain Services (AD DS) topology. We have a domain controller in one site running Azure AD Connect, and a domain controller in a different site that the Cloud PC provisioning service uses to create computer objects.

StevenDeQuincey_12-1628005638011.png

In the previous point, we explained that the Azure AD Connect sync interval and synchronization time need to complete before Cloud PC provisioning times out (90 minutes). This scenario adds an additional time to consider: the inter-site replication time for the domain. The default for this is 15 minutes, which, if added to the total possible time for computer objects to appear in AD DS and then in Azure AD, creates a new total time of one hour.

StevenDeQuincey_13-1628005638013.png

This is the theoretical maximum time, and not applicable to every organization, however we have seen examples of long inter-site replication times causing time out issues. The takeaway is that if you have long-running sync times due to size and complexity, try to minimize any other possible delays. With modern connectivity, there isn’t often a reason to limit inter-site sync intervals, so you might want to consider setting replication to the default 15 minutes.

Summary

With hybrid Azure AD join, you can secure access to your Cloud PCs and manage them along with other devices in your organization. Once your hybrid Azure AD configuration is set up to accommodate Cloud PCs, your resources will provision without any issues. If you’ve had other challenges with hybrid Azure AD and your Cloud PCs, please add a comment below.

2 Comments
Co-Authors
Version history
Last update:
‎Feb 01 2023 06:22 PM
Updated by: