Targeted Hybrid Azure AD Join without clearing SCP?

Question

Targeted Hybrid Azure AD Join without clearing SCP?

Andrew Sader 0

Hi All,

We are wanting to do a targeted HAADJ to test before rolling it out company wide. Everything i can find mentions clearing the SCP to our Azure tenant in AD, and pushing registry changes to the machines we want to HAADJ. The issue here is we are currently using the SCP to azure, and so we cant remove it.

All of our devices are currently listed in azure as Azure AD Registered if that helps.

As far as i understand it, whenever windows devices login they check locally for the azure tenant details, and if they dont find them they check AD.

Are we able to manage this via group policy to tell them not to try to hybrid join?

I have found instances online where this did not work, and all of the devices tried to hybrid join despite group policy.

Advice is appreciated.
Thanks,

Rahul Jindal [MVP] 8,496 Reputation points MVP

2023-04-28T22:03:24.7+00:00

SCP is used to provide the domain joined devices information of your Azure AD tenant for HAADJ. If your devices are ending up as Azure AD registered, then your configuration in AAD connect is incomplete. Are you synching all device attributes? If you are planning to do targeted HAADJ, then you will have to clear the SCP object from your AD domain and then configure the Azure AD details through GPO.
Shweta Mathur 22,656 Reputation points Microsoft Employee

2023-05-02T07:51:30.94+00:00

Hi @Andrew Sader ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Rahul Jindal [MVP] 8,496 Reputation points MVP

2023-04-28T22:03:24.7+00:00

SCP is used to provide the domain joined devices information of your Azure AD tenant for HAADJ. If your devices are ending up as Azure AD registered, then your configuration in AAD connect is incomplete. Are you synching all device attributes? If you are planning to do targeted HAADJ, then you will have to clear the SCP object from your AD domain and then configure the Azure AD details through GPO.
Shweta Mathur 22,656 Reputation points Microsoft Employee

2023-05-02T07:51:30.94+00:00

Hi @Andrew Sader ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

@Andrew Sader, Thanks for posting in Q&A. Based on my previous testing in my lab. I find when I choose one OU with the devices which I want to do Hybrid Azure AD join to enable Password Synchronization, only the devices in this OU will do Hybrid Azure AD join, others will not.

You can reconfigure the "Custom synchronization options" in Azure AD connect to see if it can meet your requirement.

User's image

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Crystal-MSFT 36,666 Reputation points Microsoft Vendor

2023-05-03T03:05:30.5533333+00:00

@Andrew Sader, Hope things are going well. I am writing to see if we have the opportunity to try the above suggestions. If there's any update, feel free to let us know.

Targeted Hybrid Azure AD Join without clearing SCP?

1 answer

Activity