Forum Discussion
Hybrid Join Process - Question
Hello all,
I'm looking for information regarding Hybrid Join process because it is not clear for me, this is what I have:
- Entra Connect syncs what I have under the OU I have specified on its configurations.
- I have joined a new device to on-prem AD, out of that OU, therefore Entra Connect will not sync the device.
- The device can reach the Microsoft endpoints (Network connectivity requirements accomplished)
What happens when Entra Connect does not sync the device but it's triggered the Automatic Device Join task? Will it become hybrid join even without Entra Connect synched it?
I have read this:
Hybrid join is a process initiated from the device itself and Azure AD. Hybrid Join does not depend on, nor is able to be achieved from Azure AD Connect, though AAD Connect does stage the device in Azure, allowing policies to be more immediately applied and AAD Connect
Is this correct?
So, when Entra Connect syncs the device the purpose is only to, let's say, provision the device in Entra ID ?
If Entra Connect does not sync the device, Hybrid Join will happen no matter what?
The process is documented here: How Microsoft Entra device registration works - Microsoft Entra ID | Microsoft Learn but I still have doubts 😞
Many thanks!
Best regards,
Ivo Duarte
- Hi Ivo,
in azure ad connect configured device options and configured Hybrid join if you targeting hybrid plus MDM you have to configure Group policy in your on perm AD Good morning Ivo,
for Hybrid Join the device need to know the SCP "Service Connection Point", this configuration is normally done on installing Entra ID Connect but I does not use it in my deployments, because the SCP will be set in the Forest configuration and all devices will read it and will join to Entra ID when the device will be found in your tenant.
I use this way to deploy the SCP for Organizational units where I want to do Hybrid Join.
Configure Client side registry for SCPWhen does Hybrid join works:
- The Organizational unit where the devices are located must be selected for synchronization in Entra ID Connect.
- The device read the SCP and connect to your tenant and write AD attribute "userCertificate"
- than the device will synchronized to Entra ID
- last Step, a user signin to the device with an user that have an Entra ID userPrincipalName
These are the steps for enabling Hybrid Join of devices.
In this article, you can read the requirements for Entra ID Hybrid join.
I hope this will help 🙂
Thanks for your time reading and replying my post 👍
In my organization we have hybrid join working with SCP set in the Forest configuration.
The targeted deployment of Microsoft Entra hybrid join looks a good approach too, thx for sharing!
Here, everything is running and working fine. 🙂
I still have some doubts because i did a test where seems to me that Entra Connect was not used for nothing. Let me explain my test:
- I've joined a device/computer into on-prem AD, out of the Organization Unit synchronized by Entra Connect.
- Entra Connect worked fine, it did not synchronized the device.... as expected! Also the device is not in the Metaverse, so far so good....
- A user signed-on in the computer.
- The Automatic-Device-Join task ran.
- The computer userCertificate attribute was populated.
- I can see the device in Entra ID portal.
That's why I'm not understanding the role of Entra Connect in the process.
Following Microsoft documentation (How Microsoft Entra device registration works - Microsoft Entra ID | Microsoft Learn)
Step D --> is not making me sense in my test...
Step G --> The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Microsoft Entra ID and sends the device ID and the device certificate to the client.
I would say that Azure DRS updates the device object but it also creates a device object in case it does not exist in Microsoft Entra ID
Anyway I was just trying to clarify this, i'm not facing any issues with the process on the daily basis, objects are synched and joined, so far so good... but I was just wondering what is the role of Entra Connect after all in this specific process...
Once again thx for replying,
All the best!!
Ivo
Hi IvoDuarte,
when you monitor the process step by step you can see in Entra ID connect that the device will be exported to the tenant after the userCertificate is set on the device.
I the rules of Entra ID connect, there exists the last rule that says, if userCertificate of type device is not set, it will not fall into the synchronization.
Step by step
- Device get the scp
- connect to the tenant an authenticate to is an receive the userCertificate
- Entra ID connect sync the device at next run and the device is shown in the Entra ID Device portal with "pending"
- Entra ID user is signed in an the an do the last step and update the activity field with a time stamp
- finished
One think to know: When the device is not synchronized, the process will not finished and the Event with ID 360 in Microsoft\Windows\User Device Registration will say => Device with device id not found in the tenant.
And when you do not synchronize the devices with Entra ID connect, than it only work if a user register the device.
Have a nice day
Arne
