This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 67%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hello,
So I got through multiple things and I would like to know if someone has any idea what to do here.
I'm trying to join devices into tenant as hybrid joined, to deploy Windows Hello for Business.
We're using Microsoft Entra Connect after recent migration from AADC, though I thought that it was what caused the error.
Note 1: When I try to go through Windows settings, to join the devices it automaticly goes to tenant as "Entra registered device"
So let's go through prerequsities
I've tried to recreate the object of "AzureADKerberos", to see if it does anything at all.
With powershell:
Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
and then
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
But it.. doesn't?
It actually creates itself, two objects - krbtgt_AzureAD as an user object, and AzureADKerberos as a computer object.
The user object is created in BuiltIn OU, and is disabled by default, I don't know if that's the case, or if it's supposed to be like this, but it can't be enabled.
My GPO is set as in learn:
I additionally added:
I also tried dsregtool, but not much of a luck.
Computer is domain joined.
Back to the Note 1: The device gets entra joined and domain joined, the dsregtool gets okay, but when i press 3 to get the output for whats wrong in Hybrid, it's says that it doesn't have connectivity.
Well it does, 443, 80, all microsoft websites are trusted.
A year ago, this whole set up worked quite fine, without any issues, all the devices worked as they should, with computers syncing as hybrid join, but now no success.
Rather than remove, and rejoin, going into entra registered, I have no clue what to do.
An Azure machine learning service for building and deploying models.
A cloud-based identity and access management service for securing user authentication and resource access
Hello @Anonymous ,
thank you for your response, and excuse for my absence in the ticket.
Here I provide some more things that could lead to solving this issue.
What I think is missing in the DSREGCMD /STATUS is an executing account name (user), that could be a lead.
EVENT ID 304
EVENT ID 305EVENT ID 307
Thank you,
Martin
Additionally, our previous environment used to use ADFS, and we deployed Entra Hybrid kerberos using ADFS, only for switching after 2 months to pass-through authentication.
Try re-registering the device by running the following commands in PowerShell:
dsregcmd /leave
dsregcmd /debug
Then, restart the device and attempt to join it again.
Verify that the devices can reach the necessary Azure AD endpoints, specifically the connectivity to the following URLs:
Test-NetConnection -ComputerName enterpriseregistration.windows.net -Port 443
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443
Test-NetConnection -ComputerName device.login.microsoftonline.com -Port 443
Test-NetConnection -ComputerName autologon.microsoftazuread-sso.com -Port 443
You can use Test-NetConnection in PowerShell for that.
Check that your firewall or proxy is not blocking traffic to the required endpoints.
Don't forget also to check your Group Policy settings the ones related to device registration and Windows Hello for Business.
The AzureADKerberos objects should be created correctly. The krbtgt_AzureAD user object should be disabled, which is expected.
Run the dsregcmd /status command on a problematic device to get detailed information about the device registration status. Look for any errors or warnings in the output.
Check the Event Viewer logs on the device for any related errors. Look under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin for any relevant entries.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Čako Martin,
Did you get a chance to check the connectivity to Azure AD Endpoints as mentioned by Amira Bedhiafi?
You can run the DSRegTool to do basic troubleshooting for device registration issues.
Please find the below link to download
When you collect logs with option 7 in the script, you can see the endpoint url connectivity status. You can see the below text files recorded which shows the conectivity to the required urls when you run the script.
AADExtention\login.microsoftonline.com.txt - Shows connectivity result to login.microsoftonline.com
AADExtention\device.login.microsoftonline.com.txt - Shows connectivity result to device.login.microsoftonline.com
AADExtention\enterpriseregistration.windows.net.txt- Shows connectivity result to enterpriseregistration.windows.net
Hello Čako Martin,,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hello @Amira Bedhiafi , @Anonymous ,
thank you very much for contributing.
I have not yet resolved the issue, but I got some more results from the DSREGTool.
(The Test-NetConnection works)
You can see as below:
With this error I hasn't gotten much of thing googling it, rather than licenses, I have license Microsoft 365 E3 on my account, which is enough for full office package & intune and many more stuff.
I also pasted the outputs onto github, if would get more out of it. https://github.com/MartinIXP/ixp.git
Thank you.
Martin
Hello Čako Martin,
We see that you are getting the below error while
AADSTS90014: The required field 'request' is missing from the credential. Ensure that you have all the necessary parameters for the login request.
Please share us the result for the below command removing PII information.
dsregcmd /status
When Microsoft Entra Kerberos is enabled in an Active Directory domain, an AzureADKerberos computer object is created in the domain. This object:
Appears as a read only domain controller (RODC) object, but isn't associated with any physical servers
It is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain
I suggest you to please follow the below document to configure cloud kerberos trust with WHFB.
Hello Čako Martin,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hello Čako Martin,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hello @Anonymous ,
Please apologise me for not responding.
I appreciate your message.
I'd like to share with you screenshots from event viewer logs, and dsregcmd logs as requested, and some additional.
The AzureADSSOAcc is placed in different OU than "Computers" (built-in) OU, but the OU where the object "AzureADSSOACC" is placed is being synced, so I guess that shouldn't be the problem.
DSREGCMD /STATUS
DSREGCMD /JOIN
After the dsregcmd /status though, it does do this:
Hello Čako Martin,
With the screenshots provided, it shows registration failed at joining phase with error code 0x80072F78 which means the server returned an invalid or unrecognized response
You can temporarily turn off the firewall on the server and check if that resolves the error. Antivirus in some cases could also be the cause of this issue. Turn off the AV and see if that allows the prerequisites download.
If you are not a network admin, you can always contact your network team and explain them about this issue. If you think any other network device could be blocking the downloads, the network team should be able to resolve this issue for you.
Need to make sure the device is able to access below endpoints as mentioned in the document.
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
Hello @Anonymous ,
Thank you for your quick response.
I used my test computer with provided instructions, disconnected it from azure completly, using in Windows section Settings -> Accounts -> Disconnect.
And here's the results.
The device did join azure back, but only into the azure registration phase.
After that, trying to join the device to hybrid mode, it goes to this error:
Thank you,
Martin
Additionally, this is the screenshot from Entra:
For all those who following these question, I recommend checking ADSIEDIT.MSC for object container "CONFIGURATION/SERVICES" missing object Device Registration Services might cause trouble. Not my resolution but will follow the lead. It's part of the SCP (Service Connection Point) configuration, and had to be added manually.
You can check if it's added through a command pasted below:
Get-ADObject -Filter {objectClass -eq "serviceConnectionPoint"} -SearchBase "CN=Configuration,DC=domain,DC=com"
Then assign it with your tenant using script:
$tenantID = "<tenantID>"
$rootDSE = [ADSI]"LDAP://RootDSE"
$configurationNC = $rootDSE.configurationNamingContext
$scpDN = "CN=$tenantID,CN=Device Registration Services,CN=Services,$configurationNC"
New-ADObject -Name $tenantID -Type serviceConnectionPoint -Path "CN=Device Registration Services,CN=Services,$configurationNC" -OtherAttributes @{
serviceBindingInformation = "https://enterpriseregistration.windows.net"
keywords = @("AzureADId=$tenantID")
}
Hello @Anonymous ,
Were you able to have a look at the previous posts and stuff I provided?
I tried to Reconfigure the Entra connect sync using Device options, Configure SCP, etc, to see if it does anything at all, but it didn't.
Devices stay in entra registered state.
I also wanted to try
Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred
as a command that is to force SCP, but it is depricated I think? Because of MSOnline modules deprication.
Thank you in advance,
Martin
Hello Čako Martin,
Thank you for the update.
I hope you have followed the below document to configure Hybrid Azure AD Join.
https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join#managed-domains
If your Windows 10 or newer domain joined devices are Microsoft Entra registered to your tenant, it might lead to a dual state of Microsoft Entra hybrid joined and Microsoft Entra registered device.
We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or newer to automatically address this scenario.
Any existing Microsoft Entra registered state for a user would be automatically removed after the device is Microsoft Entra hybrid joined and the same user logs in. For example, if User A had a Microsoft Entra registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users sign in.
I request you to share the result of below command in private window for further troubleshooting.
dsregcmd /status
In Event Viewer, open the User Device Registration event logs. They're stored under Applications and Services Log > Microsoft > Windows > User Device Registration and Look for events with the following event IDs: 304, 305, and 307.
Please refer the below document to check possible causes and resolutions.
Confirm SCP is created correctly
The service connection point (SCP) object is used by your devices during the registration to discover Azure AD tenant information. In your on-premises Active Directory (AD), the SCP object for the auto-registration of domain-joined devices must exist in the configuration naming context partition of the computer's forest. In your forest, the SCP object for the auto-registration of domain-joined devices is located at:
CN=62a0ff2e-####-####-####-############,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]
You can verify the existence of the object and retrieve the discovery values using the following Windows PowerShell script:
$scp = New-Object System.DirectoryServices.DirectoryEntry;
$scp.Path = "LDAP://CN=62a0ff2e-####-####-####-############,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com";
$scp.Keywords;
The $scp.Keywords output shows the Azure AD tenant information, for example:
azureADName:contoso.com
azureADId:72f988bf-####-####-####-############
SCP reference :
Hello Čako Martin,
The information in the Service Connection Point is used by domain-joined devices during their Hybrid Azure AD Join to discover Azure AD tenant information through an LDAP query.
The below command will show the list of SCPs configured
Get-ADObject -Filter "ObjectClass -eq 'serviceConnectionPoint'"
Microsoft Entra hybrid join requires devices to have access to the following Microsoft resources from inside your organization's network:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
https://device.login.microsoftonline.com
https://enterpriseregistration.windows.net
Document reference for configuring Hybrid Azure AD Join Devices.
https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join#managed-domains
Hello @Anonymous , do you still follow this thread?
Thank you, Martin
Hello @Anonymous ,
do you have any more ideas that could help solving this case?
As I mentioned before, we switched from ADFS to Pass-through authentication, and then soon enough it stopped working.
Thank you,
Martin
Hello Čako Martin, Lets continue the discussion in private messages for further investigation