Users enrolling devices with DomainName\user instead of AzureAD\user

Question

I have 2 types of users: users created in the cloud and users migrated from on-prem AD. The sync between on-prem AD and AAD is stopped, the users are fully migrated in the cloud.

I'm currently resetting all my devices and enrolling them with Intune. I enroll the devices with the user's account using Automatic enrollement.

For the users originally created in the cloud, I have no issue. That's pretty smooth.

Here is my problem: for the users migrated, after the sign-in with their Microsoft work account, they are logged with the domain name ex: Fxxxxx\patrice instead of AzureAD\patrice. What is happening? I'm sure I'm missing something.

Thank you for your help

If you are wondering why this is an issue, it's because as I don't want my users to be admin on the devices, I than add my admin account as Administrator, logging in with it and change the account type of my user from Administrator to Standard. When the user is logged as Fxxxxx\patrice, from some reasons, my admin is added as FASW\admin as well instead of AzureAD\admin and it's IMPOSSIBLE to change account types after that. I've tried a hundred different workarounds without result.

Answer 1

@Chris, Thanks for the update. I am glad to hear that the issue is resolved. To help others quickly find the solution, please let me write a summary:

Issue:

For the Azure AD joined device, the account under Access wok or school is DomainName\user instead of AzureAD\user

Resolution:

Thanks for your time and have a nice day!

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@Chris, Thanks for posting in Q&A. From your description, it seems after resetting the device and enroll them again. The devices are Hybrid Azure AD joined instead of Azure AD joined. So the user still uses their domain accounts to login.

To look into the issue, please collect the following information:

1. Please let us know if we use Autopilot method to do the enrollment. If yes, please get the screen shot of the Autopilot profile setting.
2. For these devices, are they enrolled before? If yes, please ensure the records in Azure AD and Intune are both deleted before we reset and enroll again.
3. For Azure AD joined device, it can't join on-premise domain. Please ensure we don't join on-premise domain for these devices.

Please check the above information and if there's any update, feel free to let us know.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hi Crystal, than you so much for your help. More details below.
1 - I don't use Autopilot for the enrollment. I'm using Automatic Enrollment. After the reset of the device, I just sign-in with the user credentials so that the device is enrolled as Azure AD joined and the user is the primary user.

2 - Before, the devices were enrolled as Azure AD registered as I just acquired Intune for the management. Confriming that before they join, all the records in AAD and Intune are deleted properly.

3 - So, I think this is the problem to solve: how can I prevent those devices to join on-premise domain? I think it's related to the user, because when I enroll with cloud-created users, I don't have this issue.

For the other users, they are not syncing anymore with the on-prem domain. Under the user' s properties, I can read On-premises sync enabled set to No.

How can I prevent the devices to join on-premise domain and this hybrid situation? How to get rid of this configuration? The domain controller has been decommissioned.

Thank you

Answer 4

So, the Azure AD Connect Sync has not been removed properly before the decommissioning of the on-premises server.

I have set the attribute DirectorySynchronizationEnabled to false via PowerShell today.

For cloud-only users previously synced from the on-premises Active Directory, the sync status in M365 admin center is set to "in cloud" and the attribute on-premises sync enabled in AAD is set to "No", like they were before but just for checking.

In Intune, they are no policies or profiles set for domain join or hybrid configuration.

I have fully reset 2 devices,cleaned up the records, tested 2 users, they keep enrolling with Domain\Username instead of AzureAD\Username, even if into Intune the device is showed as Join Type = "Azure AD joined"

Updated --- I have also setup autopilot for enrollment and this is the same result.
What am I missing?

Answer 5

Thank you Crystal for your investigation!

I was able to resolve my issue and I wanted to update the thread for others in the same situation.

I found the solution here
https://serverfault.com/questions/1093666/wrong-executing-account-name-on-azure-ad-joined-machines-windows-11-autopilo

So the issue is that when AD sync is stopped, there are still some leftovers attributes in the user properties that are disturbing the enrollment process. Those attributes are in ready only mode even for a global admin so the only solution is to open a ticket with microsoft and they will remove them for you.

"Solution: I contacted Microsoft Azure Support by creating a ticket. I sent in a CSV file with all users experiencing the problem. Microsoft deleted the following attributes linked to their accounts: DNSDomainName, NetBiosName, OnPremisesDistinguishedName, OnPremisesSamAccountName. After that, the problem was resolved. Hope this helps!

– [Codemeister](https://serverfault.com/users/954945/codemeister"1 reputation")Mar 1, 2022 at 20:37"