This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 21%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
Hi All,
We have configured AADC to sync on-prem AD object / password hash to O365 with ADFS for federation and access control.
We are planning to change our O365 from federated domain to managed domain, so we can dismiss the ADFS.
It will involve Hybrid Azure AD join our domain computers, setup Azure AD conditional access and then dismiss the ADFS, while keeping AADC to sync on-prem AD object / password hash to O365.
Original plan:
According to Microsoft documents: "Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to complete the device registration for hybrid Azure AD join."
So I am thinking a new plan to simplify the steps:
Will this migration step work?
Thanks,
Roy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi @roy lee , the plan that you mentioned will definitely work. This is also documented at https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync#hybrid-azure-ad-joined-devices
Hi @Abhijeet-MSFT ,
Yes what you said is also I expect to happen. But I found that the Device registered instead of pending at the same time of the Add Device event in the Audit log.
Below is the Device List showing the Registered time:
And also, from the computer's event log, it also show the registration success at the same time.
It's strange.
Please advise.
Thanks,
Roy
HI @roy lee , I guess I missed a major play here. Your domain is currently federated and as such it will not have to wait for AD Connect to sync the account to mark the device as Hybrid join. The ADFS process for hybrid Azure AD join doesn’t need the computer object’s userCertificate attribute to be updated or synchronized to AAD. ADFS creates the computer object in AAD and sends a certificate to the device, allowing AAD registration to complete much faster.
Hi @Abhijeet-MSFT ,
Thanks for your reply.
I have tried 2 computers following Second Plan step 1-3.
A strange thing is the domain computer will appear on AAD before the AADC sync computer object to AAD.
The normal sequence according to other tech articles:
But in my case, the sequence is not same:
I have attached the Audit log to show the sequence.
Microsoft changed/improved the AAD hybrid join sequence? or anything wrong on my tenant?
Thanks,
Roy
Hi @roy lee , This is the expected behavior. When you logon to a computer, it will run the automatic workplace join scheduled task on the machine. This will generate a self signed certificate. One part will be sent to Onprem AD domain controller and another part to Azure AD. Once the device has discovered SCP and before AD connect syncs the object, the device is added to the Azure AD but the status shows as pending (screenshot below). Only once Ad connect has synced the device, authentication happens for the devices based on the parts that device has added to onprem AD DC and on Azure AD. Once the authentication is complete, the device status changes from pending to hybrid join.
HI @Abhijeet-MSFT , I will check in detail next Monday.
It may be possible. As I know it should be run and it will add or modify some claim rules in ADFS to handle the hybrid AAD join. But I didn't run AADC to configure the hybrid AAD join with my ADFS.
May I know what exact event log entries will show in ADFS when the computer do hybrid AAD join? So that I can verify?
Thanks,
Roy
So in a federated environment, if you run ad connect for hybrid join it would automatically create the claim rules. For your question, all the hybrid join information will be in user device registration logs of the device. This is available under event viewer -> Application & service logs -> Microsoft -> Windows -> user device registration -> admin
Hi @Abhijeet-MSFT ,
I have double checked our ADFS does not have all the 5 claim rules for hybrid domain join according to microsoft doc hybrid-azuread-join-manual, as I didn't run the AADC "Configure Device options". Only the "Issue account type for domain-joined computers" exist. So I am afraid the computer object is not created by ADFS.....
Please advise.
Thanks,
Roy
@roy lee , as a test, could you pause scheduler on the ad connect server and try to perform the same test again? This will give us an idea.
I just checked the audit log again that you shared above and the actor there shows as synchronization account. It is possible that when the device discovered SCP and wrote the cert in AD, Ad connect scheduler ran and imported the change and exported to Azure AD.
Hi @Abhijeet-MSFT ,
I have disconnected the network of the ADFS/AADC server.
New domain computer it03-n try to perform hybrid AAD join but failed.
it03-n event log show that it know the tenant type is federated!
But it suppose will register AAD directly if fail to register in ADFS?
User certificate is not show in Domain computer object.
Azure AD device list and audit log, nothing about it03-n.
Connect the network of ADFS/AADC server while keep the AAD sync stopped.
Login it03-n and it perform hybrid AAD join with success result at 10:22:33am.
User certificate show in Domain computer object.
Azure device list and audit log show it03-n is registered to AAD at 10:22:33am.
Run dsregcmd /status in it03-n show it is AAD joined.
Enable the AAD sync.
Checked in Azure audit log, show it03-n is updated at 10:46:23am.
That means in federated domain, domain computer relies on ADFS for hybrid AAD join!
It success without the 5 claim rules in ADFS?
Roy
Add screen captures.
hi @Abhijeet-MSFT , any update?
Thanks,
Roy
Hi @roy lee , it is not possible for a device to register with Azure AD without any claim rules on ADFS. I would appreciate if you could share the output of dsregcmd /status from the device & also of Get-AdfsClaimDescription | FL (after removing any personal information).
Hi @Abhijeet-MSFT , attached the Get-AdfsClaimDescription and dsregcmd for output in it03-n machine.
65262-get-adfsclaimdescription.txt
65264-dsregcmd.txt
Thanks,
Roy
DSREGCMD shows that the PRT has been issued by ADFS. The other file does not have all the information needed. Could you share the output of Get-AdfsRelyingPartyTrust -name "Microsoft office 365 identity platform" | FL *