This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am using Hybrid OnPremise AD DS with Azure AD (Entra) synchronized using Azure AD connect.
When I look in the Azure AD / Entra Devices | All devices page https://portal.azure.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null
there are multiple entries for most of my AD computers like in the below screenshot:
How can I safely delete the duplicated AD computer as the above, and then leave the most recent or the valid entry only to maintain uniqueness?
Hello @EnterpriseArchitect
When the same device ends up with two different identities in Azure AD, it is known as a Dual state in AAD terminology. This usually happens when your users add their accounts to apps on a domain-joined device, they might be prompted with Add account to Windows, and if they enter Yes on the prompt, the device registers with Azure AD. The trust type is marked as Azure AD registered. After you enable hybrid Azure AD Join in your organization, the device also gets hybrid Azure AD joined. Then two device states show up for the same device.
Note: Hybrid Azure AD join takes precedence over the Azure AD registered state. So, your device is considered hybrid Azure AD joined for any authentication and Conditional Access evaluation. You can safely delete the Azure AD registered device record from the Azure AD portal. If the duplicate devices are very old and stale you can also check out steps mentioned on following document to clear those device entries: How To: Manage stale devices in Azure AD
Additionally, you can check out the instructions provided under Handling devices with Azure AD registered state, if you want to avoid such a scenario.
I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @Harpreet ,
thank you for the reply, ok so if I add the below registry entry like below:
prevent your domain joined device from being Azure AD registered by adding the following registry value to HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001
Does the AD computer must be Hybrid Azure AD Joined or not really?
When you add above registry it will not allow device to perform WorkplaceJoin == Azure AD Registered join type.
You can even add this to devices which are not Hybrid Azure AD join.
H @Harpreet Singh ,
Can you confirm if I add the registry entry for all AD computers using the GPO, this will not impact them in using the existing Microsoft Office 365 desktop apps.
I assume the HAADJ is taking over precedence the Azure AD registered device?
Yes exactly, HAADJ takes precedence over all AAD Register join type.
@Harpreet Singh Matharoo I have now imported my Microsoft Teams Room systems (MTR) via Configuration Designer Package into Intune. The device was already connected via Hybrid Join but not yet in Intune.
You meant that if there is an existing hybrid AD connected device, it will always be preferred. Therefore, after the deployment package, I deleted the Azure AD device.
But now no compliance policy is applied and evaluated for the Intune device.
Did I misunderstand something or what can I do? Do I need to permanently keep both Azure AD objects (Hybrid + Entra-ID Only)?
Brief Update:
After 2-3 days now, some devices are showing as conform after I deleted the Azure AD device object.
However, the Intune devices do not seem to have a connection to the Hybrid Join device, as no group is found here under Group Memberships.
How can I fix this and connect an Intune object to a hybrid Join device?
I am assuming that the Intune object was connected to the new and now deleted Azure AD object and has no connection to the existing hybrid AD object?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello EnterpriseArchitect,
Thank you for your question and for reaching out with your question today.
When you see multiple entries for the same AD computer in Azure AD/Entra, it's likely due to the synchronization process or other factors that cause duplicate computer objects to be created. To safely delete duplicated AD computer entries and maintain uniqueness, follow these steps:
**Note**: Before proceeding, always back up your Active Directory and Azure AD/Entra environments. Deleting objects can have irreversible consequences, so proceed with caution.
1. **Identify the Valid Computer Object**:
- In the Azure AD/Entra portal, find the duplicated computer entries.
- Look for attributes like the computer name, last sync time, or other identifying information to determine which one is the most recent or the valid entry.
2. **Validate Azure AD Connect Synchronization**:
- Ensure that Azure AD Connect is configured and running correctly on your on-premises server.
- Check the synchronization schedule and logs to verify that the synchronization process is working as expected.
3. **Verify AD Computer Objects**:
- On your on-premises Active Directory Domain Controller, locate the duplicated computer objects.
- Check their properties and attributes to confirm that they represent the same physical computer.
4. **Backup and Delete Duplicated AD Computer Objects**:
- Once you have identified the valid computer entry in Azure AD/Entra and verified its corresponding AD object on-premises, create a backup of your Active Directory.
- After ensuring that you have valid backups, proceed to delete the duplicated AD computer objects on-premises.
5. **Wait for Synchronization**:
- Once the duplicated computer objects are deleted from your on-premises Active Directory, wait for the Azure AD Connect synchronization to run (or manually initiate a synchronization).
- This process will remove the corresponding duplicated entries from Azure AD/Entra during the next synchronization cycle.
6. **Check Azure AD/Entra for Cleanup**:
- After synchronization completes, verify that the duplicated computer entries have been removed from the Azure AD/Entra portal.
7. **Monitor Future Synchronizations**:
- Keep an eye on future Azure AD Connect synchronization cycles to ensure that no new duplicated computer entries are created.
8. **Audit and Troubleshoot**:
- If the duplicated computer entries keep reappearing after the cleanup, audit your synchronization settings, and check for any issues with the synchronization process or your on-premises Active Directory.
Always exercise caution when deleting objects from your directory, and ensure that you have a valid backup strategy in place. Additionally, consider testing any changes in a lab environment before applying them to production. If you are unsure about any step or the impact of the changes, seek assistance from experienced IT professionals or Microsoft support.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.
Best regards.