Forum Discussion
Hybrid Azure AD Join (with ADFS present) question about SCP
LainRobertson hey Lain, thx for the reply...i understand that AAD connect is the one doing the syncing, not ADFS. What i wanted to clarify is this statement from Microsoft below regarding managing stale hybrid domain join devices
If you have Hybrid Domain Join with ADFS, machines disabled onPrem will not be synced to Azure AD
That's not correct.
What the boxed-in-red part is saying is that if you:
- Do not use AAD Connect; and
- You do not have Windows 10 or newer devices; then
You must manually manage the Azure AD device objects.
This is simply because AAD Connect will only manage Windows 10 or later device objects.
The reference to AD FS is simply acknowledging that it performs an authentication function in environments that have AD FS (even if you don't use AAD Connect), and for which the registered domain is classified as Federated and not Managed.
Here's an illustration of a disabled Windows 10 device in AAD (first command line result) and on-premise (second command line result.)
Below, you can see from miisclient.exe (on the AAD Connect host) where and how this is being calculated from on-premise.
Lastly, you can see via the official documentation that this is an intended attribute flow (i.e. not something we've customised.)
Attributes synchronized by Azure AD Connect - Microsoft Entra | Microsoft Docs
In short, if your domain is Federated, you operate AAD Connect and have Windows 10 devices, then enabled/disabled should certainly (subject to AAD Connect configuration, scoping, etc.) be synchronising.
Cheers,
Lain
Edited: Re-phrased fourth paragraph to be less ambiguous (hopefully) in it's interpretation, plus fixed a typo.