Microsoft Entra Hybrid Join (Azure Hybrid Join) error - 0x80072f78

Question

Microsoft Entra Hybrid Join (Azure Hybrid Join) error - 0x80072f78

Čako Martin 20

Hello,

So I got through multiple things and I would like to know if someone has any idea what to do here.

I'm trying to join devices into tenant as hybrid joined, to deploy Windows Hello for Business.

We're using Microsoft Entra Connect after recent migration from AADC, though I thought that it was what caused the error.

Note 1: When I try to go through Windows settings, to join the devices it automaticly goes to tenant as "Entra registered device"

So let's go through prerequsities

Authentication - PTA
Device configuration - GPO
Windows (server) requirements - Servers WS2022, and notebooks W11 23H2 or later

I've tried to recreate the object of "AzureADKerberos", to see if it does anything at all.

With powershell:

Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

and then

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

But it.. doesn't?

It actually creates itself, two objects - krbtgt_AzureAD as an user object, and AzureADKerberos as a computer object.

The user object is created in BuiltIn OU, and is disabled by default, I don't know if that's the case, or if it's supposed to be like this, but it can't be enabled.

My GPO is set as in learn:

Use Windows Hello for Business Enabled
Use cloud trust for on-premises authentication Enabled (IS HERE MISTAKE? missing "word Kerberos" as it should be Use cloud Kerberos trust for on-premises authentication in my environment
(I tried to update adml and admx files but there was no change in the Group Policy)
Use PIN Recovery Enabled
Use hardware security device Enabled

I additionally added:

Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon (hoped that it would change something) - didn't

I also tried dsregtool, but not much of a luck.

Computer is domain joined.

Back to the Note 1: The device gets entra joined and domain joined, the dsregtool gets okay, but when i press 3 to get the output for whats wrong in Hybrid, it's says that it doesn't have connectivity.

Well it does, 443, 80, all microsoft websites are trusted.

A year ago, this whole set up worked quite fine, without any issues, all the devices worked as they should, with computers syncing as hybrid join, but now no success.

Rather than remove, and rejoin, going into entra registered, I have no clue what to do.

2 answers

Your answer

Answer 1

Amira Bedhiafi 34,651 Volunteer Moderator

Try re-registering the device by running the following commands in PowerShell:


dsregcmd /leave

dsregcmd /debug

Then, restart the device and attempt to join it again.

Verify that the devices can reach the necessary Azure AD endpoints, specifically the connectivity to the following URLs:

Test-NetConnection -ComputerName enterpriseregistration.windows.net -Port 443
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443
Test-NetConnection -ComputerName device.login.microsoftonline.com -Port 443
Test-NetConnection -ComputerName autologon.microsoftazuread-sso.com -Port 443

You can use Test-NetConnection in PowerShell for that.

Check that your firewall or proxy is not blocking traffic to the required endpoints.

Don't forget also to check your Group Policy settings the ones related to device registration and Windows Hello for Business.

The AzureADKerberos objects should be created correctly. The krbtgt_AzureAD user object should be disabled, which is expected.

Run the dsregcmd /status command on a problematic device to get detailed information about the device registration status. Look for any errors or warnings in the output.

Check the Event Viewer logs on the device for any related errors. Look under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin for any relevant entries.

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-02-18T21:13:02.7433333+00:00

Hello Čako Martin,

Did you get a chance to check the connectivity to Azure AD Endpoints as mentioned by Amira Bedhiafi?

You can run the DSRegTool to do basic troubleshooting for device registration issues.

Please find the below link to download

https://aka.ms/DSRegTool

When you collect logs with option 7 in the script, you can see the endpoint url connectivity status. You can see the below text files recorded which shows the conectivity to the required urls when you run the script.

AADExtention\login.microsoftonline.com.txt - Shows connectivity result to login.microsoftonline.com

AADExtention\device.login.microsoftonline.com.txt - Shows connectivity result to device.login.microsoftonline.com

AADExtention\enterpriseregistration.windows.net.txt- Shows connectivity result to enterpriseregistration.windows.net
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-02-20T18:18:58.25+00:00

Hello Čako Martin,,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Čako Martin 20 Reputation points

2025-02-21T11:01:13.64+00:00

Hello @Amira Bedhiafi , @Venkata Jagadeep ,
thank you very much for contributing.

I have not yet resolved the issue, but I got some more results from the DSREGTool.

(The Test-NetConnection works)

You can see as below:

With this error I hasn't gotten much of thing googling it, rather than licenses, I have license Microsoft 365 E3 on my account, which is enough for full office package & intune and many more stuff.

I also pasted the outputs onto github, if would get more out of it. https://github.com/MartinIXP/ixp.git

Thank you.

Martin
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-02-25T01:46:31.68+00:00

Hello Čako Martin,

We see that you are getting the below error while

AADSTS90014: The required field 'request' is missing from the credential. Ensure that you have all the necessary parameters for the login request.

Please share us the result for the below command removing PII information.

dsregcmd /status

When Microsoft Entra Kerberos is enabled in an Active Directory domain, an AzureADKerberos computer object is created in the domain. This object:

Appears as a read only domain controller (RODC) object, but isn't associated with any physical servers

It is only used by Microsoft Entra ID to generate TGTs for the Active Directory domain

I suggest you to please follow the below document to configure cloud kerberos trust with WHFB.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-02-26T18:20:34.5+00:00

Hello Čako Martin,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-02-27T16:28:22.7333333+00:00

Hello Čako Martin,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Čako Martin 20 Reputation points

2025-03-03T14:25:07.67+00:00

Hello @Venkata Jagadeep ,

Please apologise me for not responding.

I appreciate your message.

I'd like to share with you screenshots from event viewer logs, and dsregcmd logs as requested, and some additional.

The AzureADSSOAcc is placed in different OU than "Computers" (built-in) OU, but the OU where the object "AzureADSSOACC" is placed is being synced, so I guess that shouldn't be the problem.

DSREGCMD /STATUS DSREGCMD /JOIN

After the dsregcmd /status though, it does do this:
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-03-04T18:08:05.98+00:00

Hello Čako Martin,

With the screenshots provided, it shows registration failed at joining phase with error code 0x80072F78 which means the server returned an invalid or unrecognized response

You can temporarily turn off the firewall on the server and check if that resolves the error. Antivirus in some cases could also be the cause of this issue. Turn off the AV and see if that allows the prerequisites download.

If you are not a network admin, you can always contact your network team and explain them about this issue. If you think any other network device could be blocking the downloads, the network team should be able to resolve this issue for you.

Need to make sure the device is able to access below endpoints as mentioned in the document.

https://enterpriseregistration.windows.net

https://login.microsoftonline.com

https://device.login.microsoftonline.com

https://autologon.microsoftazuread-sso.com

https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join#network-connectivity-requirements
Čako Martin 20 Reputation points

2025-03-05T08:35:20.9533333+00:00

Hello @Venkata Jagadeep ,

Thank you for your quick response.

I used my test computer with provided instructions, disconnected it from azure completly, using in Windows section Settings -> Accounts -> Disconnect.

And here's the results.

The device did join azure back, but only into the azure registration phase.

After that, trying to join the device to hybrid mode, it goes to this error:

Thank you,

Martin
Čako Martin 20 Reputation points

2025-03-05T08:59:39.4433333+00:00

Additionally, this is the screenshot from Entra:

Čako Martin 20

For all those who following these question, I recommend checking ADSIEDIT.MSC for object container "CONFIGURATION/SERVICES" missing object Device Registration Services might cause trouble. Not my resolution but will follow the lead. It's part of the SCP (Service Connection Point) configuration, and had to be added manually.

You can check if it's added through a command pasted below:

Get-ADObject -Filter {objectClass -eq "serviceConnectionPoint"} -SearchBase "CN=Configuration,DC=domain,DC=com"

Then assign it with your tenant using script:

$tenantID = "<tenantID>"

$rootDSE = [ADSI]"LDAP://RootDSE"

$configurationNC = $rootDSE.configurationNamingContext

$scpDN = "CN=$tenantID,CN=Device Registration Services,CN=Services,$configurationNC"

New-ADObject -Name $tenantID -Type serviceConnectionPoint -Path "CN=Device Registration Services,CN=Services,$configurationNC" -OtherAttributes @{

    serviceBindingInformation = "https://enterpriseregistration.windows.net"

    keywords = @("AzureADId=$tenantID")

}

Čako Martin 20 Reputation points

2025-03-07T15:00:42.62+00:00

Hello @Venkata Jagadeep ,

Were you able to have a look at the previous posts and stuff I provided?

I tried to Reconfigure the Entra connect sync using Device options, Configure SCP, etc, to see if it does anything at all, but it didn't.

Devices stay in entra registered state.

I also wanted to try

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred

as a command that is to force SCP, but it is depricated I think? Because of MSOnline modules deprication.

Thank you in advance,

Martin
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-03-07T19:50:59.76+00:00

Hello Čako Martin,

Thank you for the update.

I hope you have followed the below document to configure Hybrid Azure AD Join.

https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join#managed-domains

If your Windows 10 or newer domain joined devices are Microsoft Entra registered to your tenant, it might lead to a dual state of Microsoft Entra hybrid joined and Microsoft Entra registered device.

We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or newer to automatically address this scenario.

Any existing Microsoft Entra registered state for a user would be automatically removed after the device is Microsoft Entra hybrid joined and the same user logs in. For example, if User A had a Microsoft Entra registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users sign in.

I request you to share the result of below command in private window for further troubleshooting.

dsregcmd /status

In Event Viewer, open the User Device Registration event logs. They're stored under Applications and Services Log > Microsoft > Windows > User Device Registration and Look for events with the following event IDs: 304, 305, and 307.

Please refer the below document to check possible causes and resolutions.

https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-4-check-for-possible-causes-and-resolutions

Confirm SCP is created correctly

The service connection point (SCP) object is used by your devices during the registration to discover Azure AD tenant information. In your on-premises Active Directory (AD), the SCP object for the auto-registration of domain-joined devices must exist in the configuration naming context partition of the computer's forest. In your forest, the SCP object for the auto-registration of domain-joined devices is located at:

CN=62a0ff2e-####-####-####-############,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]

You can verify the existence of the object and retrieve the discovery values using the following Windows PowerShell script:

$scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-####-####-####-############,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com";

$scp.Keywords;

The $scp.Keywords output shows the Azure AD tenant information, for example:

azureADName:contoso.com

azureADId:72f988bf-####-####-####-############

SCP reference :

https://learn.microsoft.com/en-us/entra/identity/devices/hybrid-join-manual#configure-a-service-connection-point
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-03-11T18:15:06.3533333+00:00

Hello Čako Martin,

The information in the Service Connection Point is used by domain-joined devices during their Hybrid Azure AD Join to discover Azure AD tenant information through an LDAP query.

The below command will show the list of SCPs configured

Get-ADObject -Filter "ObjectClass -eq 'serviceConnectionPoint'"

Microsoft Entra hybrid join requires devices to have access to the following Microsoft resources from inside your organization's network:

https://enterpriseregistration.windows.net

https://login.microsoftonline.com

https://device.login.microsoftonline.com

https://autologon.microsoftazuread-sso.com

https://device.login.microsoftonline.com

https://enterpriseregistration.windows.net

Document reference for configuring Hybrid Azure AD Join Devices.

https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join#managed-domains
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Čako Martin 20 Reputation points

2025-03-24T07:20:49.3+00:00

Hello @Venkata Jagadeep , do you still follow this thread?

Thank you, Martin
Čako Martin 20 Reputation points

2025-04-14T11:58:20.14+00:00

Hello @Venkata Jagadeep ,

do you have any more ideas that could help solving this case?

As I mentioned before, we switched from ADFS to Pass-through authentication, and then soon enough it stopped working.

Thank you,

Martin
Rukmini 3,916 Reputation points Microsoft External Staff Moderator

2025-04-15T09:59:22.27+00:00

Hello Čako Martin, Lets continue the discussion in private messages for further investigation

Answer 2

Čako Martin 20

Hello @Venkata Jagadeep ,

thank you for your response, and excuse for my absence in the ticket.

Here I provide some more things that could lead to solving this issue.

What I think is missing in the DSREGCMD /STATUS is an executing account name (user), that could be a lead.

User's image

EVENT ID 304 User's image

EVENT ID 305 User's image EVENT ID 307

User's image

Thank you,

Martin

Čako Martin 20 Reputation points

2025-03-18T08:47:23.59+00:00

Additionally, our previous environment used to use ADFS, and we deployed Entra Hybrid kerberos using ADFS, only for switching after 2 months to pass-through authentication.

Share via

Microsoft Entra Hybrid Join (Azure Hybrid Join) error - 0x80072f78

2 answers

Your answer