This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Folks,
I need your help and suggestion in performing the Hybrid Azure AD join. However in the Steps #4: https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign I cannot see my AD joined computer listed?
My current setup is single forest OnPremise AD Domain synched using Azure AD connect, with Azure AD Premium P2 licensing.
Any help would be greatly appreciated.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
You will not see individual devices therein, use Groups instead. The Group needs to already exist and has the required devices (or users) added. If you want to target all devices, hit the corresponding Add all users/Add all devices buttons.
Hi Vasil,
Since I am using Azure AD Connect to such the user account to Azure, do I need to do something else to ensure the Computer objects synched to Azure AD?
Yes, you need to have device sync enabled, that's one of the prerequisites for the Hybrid story: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join#managed-domains
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@EnterpriseArchitect, Thanks for posting in Q&A. From the link you provided, I notice you want to assign Intune Device Configuration policy to user or device group. But the device is not existing. If there's any misunderstanding, feel free to let us know.
On my point of view, this can be that the device is not enrolled into Intune yet.
To perform Hybrid Azure AD join, you can firstly sync password hash with Azure AD connect:
Then configure Hybrid Azure AD join with the steps in the following link. There are two options to choose. If it is managed domain, you can try the steps under "Managed domains". If you have federated domain, try the steps under "Federated domains".
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join
Based on my experience, if the domain is non-routable, it will cause AzureADPrt as no. To make it work, we can add the new UPN suffix as a workaround. For example, if your on-premise domain is "A.com". And you Azure AD domain is "B.com". And the domain is non-routable, then you can add "B.com" under the Active Directory Domains and Trusts as a new UPN suffix. And change the UPN suffix for existing users.
However, if the Hybrid Azure AD join still have issue, you can contact Azure AD support to get more help.
After the device is Hybrid Azure AD joined, we can choose one of the device enrollments for Hybrid Azure AD joined devices to enroll into Intune. Here are some methods for your reference:
GPO enrollment (Mainly for the existing domain joined devices.)
Autopilot Hybrid Azure AD joined (Mainly for new devices)
https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid
As a note, please ensure the user also has the Microsoft Intune license assigned.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Crystal-MSFT , thank you for the update, yes,
OnPremise AD DS: domain.com
Azure AD Tenant: companycorpname.onmicrosoft.com
The current Azure AD sync is already using Password Hash Sync.
@EnterpriseArchitect, Thanks for the reply. From your description, I know the Password Hash Sync is already done. If so, then we can configure Hybrid Azure AD join via Azure AD connect. Please confirm if this step is also done. Meanwhile, please also check if the new UPN is added if our domain is not routable.
Hi @Crystal how do I know if the domain is routable or not?
@EnterpriseArchitect, Thanks for the reply. Based on my understanding, The routable domain means a verified domain and is applicable on the Internet. Sometimes, on-premises AD users UPNs are different from your Azure AD UPNs. In these cases, Windows 10 or newer hybrid Azure AD join provides limited support for on-premises AD UPNs based on the authentication method, domain type, and Windows version. Here is a link with more details:
@EnterpriseArchitect, How's everything going? If there's anything else we can help, feel free to let us know.
Hi @Crystal -msft, do I need to choose either Hybrid Azure AD join or Azure AD join to enable Intune MDM and also enable the SSPR link on the login screen ?
@EnterpriseArchitect, Thanks for the reply. From your description, I notice you mentioned to enable Intune MDM. Did you mean to enroll these devices? Could you get a screen shot to let me better understand it? Meanwhile, for SSPR, based on my researching, I find this is an AAD feature to give users in Azure Active Directory (Azure AD) the ability to change or reset their password, with no administrator or help desk involvement. If you want this, I think you can configure. if you want to know more about this, I suggest contact Azure AD support to get more help on this. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows