Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Issue after sync with Azure AD Connet

Brass Contributor

Hello,

I'm trying to do some experiments with Azure AD Connet and found some issue and I like to find some suggestion from other experienced people on how to manage them.

First thing I noticed is with the registered devices: I simulated my organization, so I created some virtual machine where I installed Office desktop apps and Teams; the devices are seen in AAD as Azure AD Registered; then I've done the sync of the devices from AD; I have an OU with inside our org accounts, so I have, for example, an inner Management OU with management user accounts; inside Management OU I have an OU called Management Computers where there are the management's devices; I have synced them and then enabled the Hybrid Join in Azure AD Connect.

I've seen that the devices have been registered as Hybrid Join, but I have the situation where there are the duplicated devices; on every system, there is a Windows 10 version greated than 1803; I waited 2 days but never happened: I red some people that deleted the Azure registered one, but have red also that people have experiecenced issue to do so.

Other question: I synced my users and it seems was all ok, so I saw in AAD Users->All Users the parameter "Directory synced" on Yes; after some delta sync I saw that a user that was synced that have no more Yes on that parameter and a new user, with that parameter was created; I deleted it and done a sync but on the old user I can't see that directory sync is again true: how to resolve this issue?

Apart from these problems, I'd like to have a suggestion on how proceed when I have to sync real data; as I said previuosly, I have nested OU with users and their computers, but I don't want to sync all the users together; for example, I thought to sync first OU Managers (and their devices), than Marketing (and their computers) and so on: do you think this is an acceptable approach or I have to change it?

Any help is very appreciated.

9 Replies

@Marco Mangiante 

Hello Marco,
It would be great to see the configuration of your AD Connect. (a screenshot would be enough)
Regarding the syncing of your users, you have filters in the AD Connect configuration wizard: Select the domains to be synchronized using the Azure AD Connect wizard

Look at the picture inside the link I've provided. Domain and OU filtering -> Sync selected domains and OUs.

Regarding your first question:
You will experience tons of AAD-registered devices in AAD over the time.
If some device is not used for a specific timeframe it becomes "stale".
Even if the status changed to HAAD, the old entry is not just altered, but a new device-entry is created and the old reamains.
You have to get rid off them with maintenance tasks.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/manage-stale-devices

Hello @mikhailf

 

I have something like this in AD:

 

AD Connect #1.png

 

 and in Azure AD Connect, in Domain and OU filtering I have configured this:

 

AD Connect #2.png

 

In Azure AD All Devices I see this:

 

AD Connect #3.png

 

I replied in the test environment what I have in my company AD; in Azure AD also replied the status quo, with all devices Azure AD Registered (because we have Office desktop apps on them); I suppose to have the behaviour in the screen because I have done a first sync without the OU where I have the computers, and then added them to the sync; what I expected, even with this 2 steps, was that I have, after some time, only one notebook per user and with hybrid registration; I can't disable the Azure AD Registered because I've seen that the apps on them are unusable.

 

Hope to have clarified.

Hello @aexlz 

 

ok, I understood this, but it seem that the hybrid ones have no get rid of the Azure AD registered, so if I disable one of them, I can't use the apps on them because I can't access them with user and pwd of 365.

@Marco Mangiante 

Hello Marco,

It is expected behavior. When you added a device for the first time, it was registered. Then you reconfigure it and it becomes Azure Hybrid AD Joined. AAD sees this device as a new with a new ObjectID (DeviceID) in Azure. Because of that ObjectID (DeviceID), you see two devices with the same name.
You have "Columns" in the upper panel. Click on it and look for "Last Activity" or "Last Check-in" thereby you will be able to see what devices are in use and what are not in use. I assume that registered devices will be not in use. When you ensured that the registered devices are not in use (Not connecting to AAD) you can remove them.
I removed Registered devices several times and didn't have any issues with them. You can check this article to find out more about Registered to Hybrid Azure AD Joined change. Handling devices with Azure AD registered state

"Any existing Azure AD registered state for a user would be automatically removed after the device is hybrid Azure AD joined and the same user logs in."

 

I hope this helps you. 

It is good that it's a lab environment. You can try everything :) 

Helllo @mikhailf 

thanks for you reply. I read that article when I started my experiments and interpreted that word as an automatic cancellation of the device, after some time, from the list; I say this because in my first lab I obtained this result, but the difference is that in my first iteration I synced the OU with computers at the start with the others data and object and also checked the password hash sync option, but I suppose this is not relevant for the devices.

From what I've see, the Registered and Activity colums have, for the Azure AD Registered devices, the date when I created the devices for my test and installed the apps for Office (and Teams), while the hybrid counterpart has the date of ingestion; I noticed 2 things: the ingestion was 6 May andd from that date I can't see any update date, while I accessed the devices and also if, as I said in my previous post, if I disable my Azure AD Registered device, I can't use Office apps; I've done the command dsregcmd /status but it seems that I have no error.

 

What I expected was that the Azure AD Registered devices disappeared automaticallly, or, like in your case, I have the possibility do delete them without any issue.

 

Thanks.

Hello @mikhailf and other,

I left my lab for some times without any action; now I loaded the AD portal devices page and found that every device has an activity near tha day I'm writing this message, so, for example, for my test client I have an activity for the Azure AD Registered and also for the Hybrid counterpart; I expected that, after ingested the device and it became Hybrid registered, I have no activity on the AAD registered item.

I tried to disable the AAD registered device, but after have restarted it, I can't use Teams and Office: how I can solve the issue? I can't have and start a production environment where I have duplicated clients and can't disable the AAD registered; I red the documentation but it seems that what is written sometimes doesn't happens.

 

I attach a screenshot.DeviceRegistrationAAD.png

What I'm not understanding or doing wrong?

Hello @Marco Mangiante ,

 

Could you please remind me if it is possible to re-enroll this device? 

I mean to remove it from Intune, Azure AD, Disconnect it on the workstation side and then to do everything from the beginning? 

I think this would be the best way.

Hello @mikhailf 

I didn't quite understand your reply; at this time, I have no clients enrolled in Intune; also, I don't know if it is possible to do an Azure AD disconnect on the workstations..and even if it were possible, I can't do it workstation per workstation.