Device isnt recognized as hybrid joined device

Question

Device isnt recognized as hybrid joined device

Hello,
im trying to set policy, which will allow to access some applications only from Hybrid joined devices.
* Require Hybrid Azure AD joined
I performed (with some issues though) hybrid join on few computers.
These computers correctly show up in AAD portal

MyNotebook
Yes
Windows
10.0.17763.0
Hybrid Azure AD joined
N/A
None
N/A
11/26/2020, 7:41:38 AM
11/26/2020, 7:33:40 AM

DSREGCMD /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

         AzureAdJoined : YES
      EnterpriseJoined : NO
          DomainJoined : YES
            DomainName : Contoso

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

        IsDeviceJoined : YES
         IsUserAzureAD : NO
         PolicyEnabled : NO
      PostLogonEnabled : YES
        DeviceEligible : YES
    SessionIsNotRemote : YES
        CertEnrollment : none
          PreReqResult : WillNotProvision

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                NgcSet : NO
       WorkplaceJoined : YES
      WorkAccountCount : 1
         WamDefaultSet : NO

However,
testing this Conditional Access policy still fails, because join-type is not recognized.

Browser
Edge 18.17763
Operating System
Windows 10
Compliant
No
Managed
No
Join Type <empty field>

What could be wrong there, i performed hybrid join, in AAD objectID match with ID from dsregcmd command .. im lost there

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-11-27T07:35:20.123+00:00

Hi @Vaněk Vladimír (VZP ČR Ústředí) · Just checking if you had a chance to test below solution.
Vaněk Vladimír (VZP ČR Ústředí) 21 Reputation points

2020-11-27T08:43:38.363+00:00

Hello @AmanpreetSingh-MSFT ,
i believe your informations are not very helpful for me.

We have on-premise environment, we are only syncing computer accounts to AAD. We dont use AAD User logins at all.
Computer account is joining under SYSTEM account, not user account. And Logs says, that registration to AAD was successfull.
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-11-27T09:25:21.213+00:00

Hi @Vaněk Vladimír (VZP ČR Ústředí) · Conditional access policy doesn't work this way. The users must be synced and part of the policy and should be authenticating from Azure AD as the purpose of Conditional Access policy is to control issuance of token to the users. I am interested to know If you have not synced the users, what option you have selected under "Users and groups" section of the conditional access policy?
Vaněk Vladimír (VZP ČR Ústředí) 21 Reputation points

2020-12-01T14:32:02.26+00:00
Hello @AmanpreetSingh-MSFT
We are of course syncing users to AAD as well as Computers. We just "fixed" some settings on our ADFS connector but nothing really happens.
My testing laptop

The complete join response operation was successful.
Automatic registration Succeeded.
Only complains i see in eventlog (Microsoft-Windows-User Device Registration/Admin)

Windows Hello for Business provisioning will not be launched. Device is AAD joined ( AADJ or DJ++ ): Yes User has logged on with AAD credentials: No

My device was shown as hybrid-joined in Azure Portal

Enabled Yes
OS Windows
Version 10.0.17763.1577
Join Type Hybrid Azure AD joined
Owner N/A
User name None
Registered 12/1/2020, 10:57:04 AM
Activity 12/1/2020, 10:56:41 AM

I tried to login on-prem and aad account. Same result, my notebook keeps whining "Device is not in required device state: {state}. Conditional Access policy requires a domain joined device, and the device is not domain joined."
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-12-02T16:38:24.757+00:00

Hi @Vaněk Vladimír (VZP ČR Ústředí) · If you have your tenant federated with ADFS and signing in with synced user account, you should still be able to get IsUserAzureAD and AzureAdPrt as YES. I have seen that if these parameters are NO, CA policy doesn't recognize the device as hybrid joined device. You should start investigating into it by checking Event Viewer > Applications and Services Log > Microsoft > Windows > AAD and User Device Registration logs.

Accepted answer

4 additional answers

Your answer

AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-11-27T07:35:20.123+00:00

Hi @Vaněk Vladimír (VZP ČR Ústředí) · Just checking if you had a chance to test below solution.
Vaněk Vladimír (VZP ČR Ústředí) 21 Reputation points

2020-11-27T08:43:38.363+00:00

Hello @AmanpreetSingh-MSFT ,
i believe your informations are not very helpful for me.

We have on-premise environment, we are only syncing computer accounts to AAD. We dont use AAD User logins at all.
Computer account is joining under SYSTEM account, not user account. And Logs says, that registration to AAD was successfull.
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-11-27T09:25:21.213+00:00

Hi @Vaněk Vladimír (VZP ČR Ústředí) · Conditional access policy doesn't work this way. The users must be synced and part of the policy and should be authenticating from Azure AD as the purpose of Conditional Access policy is to control issuance of token to the users. I am interested to know If you have not synced the users, what option you have selected under "Users and groups" section of the conditional access policy?
Vaněk Vladimír (VZP ČR Ústředí) 21 Reputation points

2020-12-01T14:32:02.26+00:00

Hello @AmanpreetSingh-MSFT
We are of course syncing users to AAD as well as Computers. We just "fixed" some settings on our ADFS connector but nothing really happens.
My testing laptop

The complete join response operation was successful.
Automatic registration Succeeded.
Only complains i see in eventlog (Microsoft-Windows-User Device Registration/Admin)

Windows Hello for Business provisioning will not be launched. Device is AAD joined ( AADJ or DJ++ ): Yes User has logged on with AAD credentials: No

My device was shown as hybrid-joined in Azure Portal

Enabled Yes
OS Windows
Version 10.0.17763.1577
Join Type Hybrid Azure AD joined
Owner N/A
User name None
Registered 12/1/2020, 10:57:04 AM
Activity 12/1/2020, 10:56:41 AM

I tried to login on-prem and aad account. Same result, my notebook keeps whining "Device is not in required device state: {state}. Conditional Access policy requires a domain joined device, and the device is not domain joined."
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-12-02T16:38:24.757+00:00

Hi @Vaněk Vladimír (VZP ČR Ústředí) · If you have your tenant federated with ADFS and signing in with synced user account, you should still be able to get IsUserAzureAD and AzureAdPrt as YES. I have seen that if these parameters are NO, CA policy doesn't recognize the device as hybrid joined device. You should start investigating into it by checking Event Viewer > Applications and Services Log > Microsoft > Windows > AAD and User Device Registration logs.

Answer 1

Hi @Vaněk Vladimír (VZP ČR Ústředí) · Thank you for reaching out.

As per below parameter in the output of your DSRegCmd command:

IsUserAzureAD : NO

The logged in user is not an Azure AD User, due to which, under SSO State, the AzureAdPrt becomes NO. Users that are logged in to Hybrid Azure AD Joined devices are supposed to use AzureAdPrt (Azure AD Primary Refresh Token) to authenticate against protected resources. If there is no PRT submitted by user for authentication, the device won't be recognized as Hybrid Azure AD joined device by Conditional Access and will be blocked.

Make sure that you are logged in with Azure AD User account and confirm IsUserAzureAD and AzureAdPrt are YES in the output of dsregcmd command. Check if Conditional Access policy is successfully getting applied afterwards.

If you still see one of these parameters as NO, please check Event Viewer > Application and Services logs > Microsoft > Windows > AAD and User device registration logs to identify the issue.

Feel free to tag me in your reply if you have any further question.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Vaněk Vladimír (VZP ČR Ústředí) 21 Reputation points

2020-12-10T13:59:50.637+00:00

Hi @AmanpreetSingh-MSFT
Your answer definitely help me.
Our UPN didnt matched with email address.. there was one of the main problems.. after we changed UPN on our test objects (users), AzureAdPrt was switched to YES.

My notebook works flawlessly as hybrid joined device. Conditional access work, the device is recognized.
My colleague, who also Hybrid join, still have some problems.

He changed UPN, dsregcmd looks the same as mine (with all required "YES"), eventlog shows no errors.. His device is still not recognized as hybrid joined (in AAD his computer account is Hybrid Azure AD joined, in sign-ins there is empty value in Join Type).

Not sure what to look for.. his ObjectID match, dscmdreg shows no errors .. He just have all settings as me..

Answer 2

jin g 6

@Ian ten Cate
Yes. MFA is the problem.
When you are using MFA, and assigning apps on that, make sure the details matches the one on "AD".
Upon signing in, it uses the "AD" UPN. so in order to get AzureADPRT to YES, make sure that if you have MFA, O365 apps should match the one on AD.
Therefore you will experience SSO as well.

Answer 3

jin g 6

Any solution to this?
1 out of 200 of my user is having problem enrolling to intune because of this exact same thing.
User was set to UPN1 before and now transferred to UPN2 (both federation, not primary).
Like @123 .com to @@abc2.com .

I can see that UPN are matched on Azure AD and localAD. But, I want to make sure that they are really matched in background.
Any idea how can I really test this user's UPN on both AzureAD and localAD?

That is my suspect after weeks of troubleshooting.

Thanks
@Vaněk Vladimír (VZP ČR Ústředí) @AmanpreetSingh-MSFT

Ian ten Cate 1 Reputation point

2022-04-22T16:33:51.943+00:00

Did you ever get to the root of your problem here? We're seeing a similar issue (device claims hybrid join = OK based on AzureAdJoined:YES and DomainJoined:YES but AzureAdPrt: NO. We've adjusted UPN and email to match as part of a migration a few months back.

Answer 4

Vazquez Fraga, Aaron 31

It appears that in Edge chromium it only recognizes the hybrid device if you have logged into Edge with your Microsoft coporate account. I have tested this from several computers, same user browsing with chrome and edge. With Chrome it wortks fine, as long as you have the "Windows Accounts" extension installed, which can be deployed with GPO. maybe there is a way to make it work with Edge, but I ahve not found one.

Answer 5

Ahmed Sh 80

Any idea if there is workaround in case there is no UPN matching between onpremise AD and Cloud for users and only devices are synced and third party IDP/user provisioning is in place?

Share via

Device isnt recognized as hybrid joined device

4 additional answers

Your answer