Microsoft Entra Hybrid Join (Azure Hybrid Join) error - 0x80072f78

Čako Martin 20 Reputation points
2025-02-17T11:39:19.2533333+00:00

Hello,

So I got through multiple things and I would like to know if someone has any idea what to do here.

I'm trying to join devices into tenant as hybrid joined, to deploy Windows Hello for Business.

We're using Microsoft Entra Connect after recent migration from AADC, though I thought that it was what caused the error.

Note 1: When I try to go through Windows settings, to join the devices it automaticly goes to tenant as "Entra registered device"

So let's go through prerequsities

  • Authentication - PTA
  • Device configuration - GPO
  • Windows (server) requirements - Servers WS2022, and notebooks W11 23H2 or later

I've tried to recreate the object of "AzureADKerberos", to see if it does anything at all.

With powershell:

Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

and then

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

But it.. doesn't?

It actually creates itself, two objects - krbtgt_AzureAD as an user object, and AzureADKerberos as a computer object.

The user object is created in BuiltIn OU, and is disabled by default, I don't know if that's the case, or if it's supposed to be like this, but it can't be enabled.

My GPO is set as in learn:

  • Use Windows Hello for Business Enabled
  • Use cloud trust for on-premises authentication Enabled (IS HERE MISTAKE? missing "word Kerberos" as it should be Use cloud Kerberos trust for on-premises authentication in my environment
  • (I tried to update adml and admx files but there was no change in the Group Policy)
  • Use PIN Recovery Enabled
  • Use hardware security device Enabled

I additionally added:

  • Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon (hoped that it would change something) - didn't

I also tried dsregtool, but not much of a luck.

Computer is domain joined.

Back to the Note 1: The device gets entra joined and domain joined, the dsregtool gets okay, but when i press 3 to get the output for whats wrong in Hybrid, it's says that it doesn't have connectivity.

Well it does, 443, 80, all microsoft websites are trusted.

A year ago, this whole set up worked quite fine, without any issues, all the devices worked as they should, with computers syncing as hybrid join, but now no success.

Rather than remove, and rejoin, going into entra registered, I have no clue what to do.

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,348 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Amira Bedhiafi 34,651 Reputation points Volunteer Moderator
    2025-02-17T17:40:51.89+00:00

    Try re-registering the device by running the following commands in PowerShell:

    
    dsregcmd /leave
    
    dsregcmd /debug
    
    

    Then, restart the device and attempt to join it again.

    Verify that the devices can reach the necessary Azure AD endpoints, specifically the connectivity to the following URLs:

    Test-NetConnection -ComputerName enterpriseregistration.windows.net -Port 443
    Test-NetConnection -ComputerName login.microsoftonline.com -Port 443
    Test-NetConnection -ComputerName device.login.microsoftonline.com -Port 443
    Test-NetConnection -ComputerName autologon.microsoftazuread-sso.com -Port 443
    

    You can use Test-NetConnection in PowerShell for that.

    Check that your firewall or proxy is not blocking traffic to the required endpoints.

    Don't forget also to check your Group Policy settings the ones related to device registration and Windows Hello for Business.

    The AzureADKerberos objects should be created correctly. The krbtgt_AzureAD user object should be disabled, which is expected.

    Run the dsregcmd /status command on a problematic device to get detailed information about the device registration status. Look for any errors or warnings in the output.

    Check the Event Viewer logs on the device for any related errors. Look under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin for any relevant entries.


  2. Čako Martin 20 Reputation points
    2025-03-18T08:29:33.0966667+00:00

    Hello @Venkata Jagadeep ,

    thank you for your response, and excuse for my absence in the ticket.

    Here I provide some more things that could lead to solving this issue.

    What I think is missing in the DSREGCMD /STATUS is an executing account name (user), that could be a lead.

    User's image

    EVENT ID 304User's image

    EVENT ID 305User's imageEVENT ID 307

    User's image

    User's image

    User's image

    Thank you,

    Martin


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.