25,147 questions
You can clear the SCP in AD:
https://github.com/MicrosoftDocs/azure-docs/issues/55187
Can't disable Hybrid Azure AD Join in Azure AD Connect
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 0%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Robert Panick
156
Reputation points
We enabled Hybrid AAD Join using AAD Connect, we've since discovered it is writing computer objects to AAD without an associated user, or the wrong user. The issue is all of our computers join the domain with SCCM OSD task sequences, but no user has logged in. AAD Connect picks up the computer account and does the Hybrid AAD join, without the user, and at times using a service account used for the AD domain join operation.
We have decided to address this problem we will turn off Hybrid AAD Join in AAD Connector, and use SCCM to establish the Hybrid AAD Join since we can delay the operation until the user has had a chance to log in.
The problem comes is that we go into the AAD Connect > Device Options and select Configure Hybrid Azure AD Join, then under Device Systems turn OFF the "Windows 10 or later domain-joined devices" checkbox. Note the downlevel checkbox is also turned off. The problem is the "Next" button is not enabled so there is no way to continue.
At this point the only other option would be to tear down the AAD Connect and rebuild it, but we really don't want to do that because of issues that likely would occur.
Unfortunately, fixing the user record association with the computer would be a lot of work. Without the user association makes using Intune problematic in many ways.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
3 answers
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2023-06-28T16:14:17.33+00:00 -
Robert Panick 156 Reputation points
2023-06-28T16:27:56.01+00:00 I saw that, but couldn't figure out what the effect of doing the operation described was. For instance, does it just disable the Hybrid AD Join in the connector? It looks like it would potentially break all of the existing Hybrid AD Joined computers.
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2023-06-28T16:37:47.94+00:00 well, once joined, they are joined. The SCP is used during the registration.
-
Robert Panick 156 Reputation points
2023-06-28T16:51:59.1966667+00:00 That makes some sense. What would happen if we then had SCCM do the Hybrid AAD Join, would it fail? I just don't see why the AAD Connector can't let us turn off that switch once its turned on. We still want to do Hybrid AAD Join, just not through the AAD Connector.
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2023-06-28T16:57:15.5133333+00:00 well, as long as as SCCM can do the registration without that SCP in AD itself, I dont see any issues.
-
Robert Panick 156 Reputation points
2023-06-28T17:00:36.2266667+00:00 That's an interesting question. I don't know exactly what mechanism SCCM is using. I'll have to do some looking into it. Thanks.
I was really hoping someone knew of a registry key on the AAD Connector that would let us turn it off.
Sign in to comment -
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2023-06-28T17:14:56.45+00:00 Well, I'm sure you have seen this:
https://albandrodsmemory.wordpress.com/2021/04/15/how-to-disable-hybrid-azure-ad-join/
But I cant vouch for it or if its supported
-
Robert Panick 156 Reputation points
2023-06-28T18:06:21.4766667+00:00 I had seen something else from him, but not this article. Thank you.
Now to convince the powers that be to let me try it.
-
Robert Panick 156 Reputation points
2023-06-28T18:09:39.93+00:00 Looking at it closer, the first item "Modify the Hybrid Azure ADJoin from the AAD Connect" is what I've been trying to do. The rest of it unfortunately is intended to block AAD join, which is what I don't want to do.
Sign in to comment -
-
Robert Panick 156 Reputation points
2023-06-28T22:06:51.31+00:00 It appears that the need may be moot. We ran some tests today and discovered that a computer created using SCCM OSD would register without a user as expected. When a user logged in the record in AAD updated quickly. Intune created a second record, but at least the user to computer association was there.