Share via

Azure Hybrid join failes

Kallehave Isaak 20 Reputation points
2024-07-17T13:44:36.03+00:00

ObjectGUID in Active Directory:

bde852fd-48b6-4600-a8a2-4a596bc1989a

PS C:\Users\A_KallehaveI> Get-ADComputer -filter {ObjectGUID -eq "bde852fd-48b6-4600-a8a2-4a596bc1989a"}


DistinguishedName : CN=NB556769,OU=StandardNotebook,OU=Computers,OU=***,OU=***,DC=***,DC=***,DC=***
DNSHostName       : NB556769.**.**.**
Enabled           : True
Name              : NB556769
ObjectClass       : computer
ObjectGUID        : bde852fd-48b6-4600-a8a2-4a596bc1989a
SamAccountName    : NB556769$
SID               : S-1-5-21-2908198854-538845383-240637774-153731
UserPrincipalName :

Device-ID in Entra ID:

cad353ea-366a-4e5c-ae9b-215bbcf564a4

User's image

When trying to join the device to Entra ID it fails with following Error:

Previous Registration : 2024-07-17 13:18:02.000 UTC
         Registration Type : sync
               Error Phase : join
          Client ErrorCode : 0x801c03f3
          Server ErrorCode : invalid_request
       Server ErrorSubCode : error_missing_device
          Server Operation : DeviceRenew
            Server Message : The device object by the given id (bde852fd-48b6-4600-a8a2-4a596bc1989a) is not found.
              Https Status : 400
                Request Id : b06bcd9c-6943-435f-ba14-1539ac4f7651

As you can see in the output from "dsregcmd /status" the join fails because the device tries to join with the ID from local Active Directory and cannot find a Device in Entra ID with this ID. When searching for my device in Entra ID i can find it with another Device-ID.

Does anyone have the same issues?

I tried deleted the object in Entra ID and hoped it will be resynced from lokal AD with the correct ID but the object was created in Entra ID with another ID then in local AD. Can someone assist?

Kind Isaak

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,630 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,132 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,065 questions
0 comments
Accepted answer
  1. Raja Pothuraju 7,675 Reputation points Microsoft Vendor
    2024-07-18T19:04:55.4266667+00:00

    Hello @Kallehave Isaak,

    Thank you for posting your query on Microsoft Q&A.

    I see whenever you are syncing the domain joined device from on prem to Entra ID, device ID is not matching with the ObjectGUID in local AD.

    To fix this.

    • Open command prompt as administrator.
    • Execute the command "dsregcmd /leave".
    • Open the computer certificate store using "certlm.msc"
    • Ensure the computer certificate with the issuer "MS-Organization-Access" is deleted.
    • If the certificate exists and then delete the certificate.
    • Restart the client.

    The restart should trigger a fresh device registration. Ensure the new certificate public key is updated on the computer object in On-prem AD. If there are multiple domain controllers, then ensure the attribute is replicated to all the DC's. Trigger a delta sync on the AAD Connect server. Once the sync is complete you can trigger device registration by either restarting the machine or executing the command dsregcmd /join /debug or running the schedule task "Automatic-Device-Join" under 'Workplace Join".

    If above fix didn't help, try to verify the SCP configuration by following below document.

    https://learn.microsoft.com/en-us/entra/identity/devices/hybrid-join-manual#configure-a-service-connection-point

    Verify the SCP object

    To Verify:

    1. Go to a domain joined PC and open Windows PowerShell.
    2. Run the following commands 
         $scp = New-Object System.DirectoryServices.DirectoryEntry;
   $scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com";
   $scp.Keywords;
    3. Verify the Keywords values. They should look similar to: 
             azureADName:contoso.com     
       azureADId:62f988bf-####-####-####-############
    4. The field names are case-sensitive. Make sure that they are exactly azureADName: and azureADId:

    If the issue exists, I would like to check this up offline with you to understand the scenario to see why this kind of behavior is occurring. please send us an email on azcommunity@microsoft.com referencing this issue with a subject line "ATTN:pothurajur" include a link to the current thread.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.