Hybrid joined devices syncing problem

adv_kd 125 Reputation points
2024-02-07T14:39:42.5966667+00:00

Hi,
It will be a long post, so...

I have a problem with hybrid joined devices and Conditional Access (set to require hybrid joined device). Our users from time-to-time are unable to use apps because of this.

Infrastructure:

  • local Active Directory with few DC's
  • DC synced to Entra ID (both users and computers)
  • Conditional Access policy set to "require hybrid joined devices"

Problem occurs for many users:(yes, propably some of them are positive-positive, they used private device, but still we've got many complaints about it).

User's image

What I discovered to this day:

  • it can occurs in the middle of the day, without any changes (afaik) in object in AD
  • users been talking it occurs when they change password (don't take it too seriously)
  • in fact IT OCCURS because some of devices are DELETED from cloud

Example 1:

  1. PC deleted (question is why?) - look at date and timelaptop_delete
  2. PC added - in the same cycle? laptop_add 3. When it's added (after few minutes of pending) user can sign in...User's image Example 2:
    1. PC deleted
    laptop_delete
    1. PC added (look at difference in time)
    laptop_add
    1. PC logs - it's been deleted by SYNC account

    laptop_logs

And propably the most important here:

there was a change in this PC object "userCertificate" attribute. User's image

There is a rule on Entra ID Connect that states this attribute must NOT BE EMPTY. So it looks like something deleted this attribute and then re-writed it? The fact is this PC was deleted without any user activity, so it looks like some hidden proces, rule or aliens did that.

I've got many more evidences but they are most likely the same, but not in every casy "userCertificate" was re-writed.

Look how many devices were deleted. Almost every were re-added again.
User's image

Sometimes there is a change in "userCertificate" attribute which is required for device to be synced.

Might there be a problem with SCP?

I am investigating this problem for so long and I am just tired of it...

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,521 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,696 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. adv_kd 125 Reputation points
    2024-02-09T09:15:46.5866667+00:00

    Additional information: Sometimes devices are not deleted from AAD. Today we've got another user with this problem, but there was no change at his computer and it went from "registered" to "pending" and it can't register for a long time. I've checked an in the past it was the most ocuring scenario, devices haven't been deleted but changed state. dod3

    No changes in Entra ID Connect:dod1

    No changes in userCertificate: dod2

    I know I can use dsregexe to join this certain computer to AAD, but it is not the case. I want to fix the problem...

    1 person found this answer helpful.

  2. adv_kd 125 Reputation points
    2024-02-16T13:35:45.0633333+00:00

    Hi,
    Does anyone have an idea?


  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.