Hi All, We have configured AADC to sync on-prem AD object / password hash to O365 with ADFS for federation and access control. We are planning to change our O365 from federated domain to managed domain, so we can dismiss the ADFS. It will involve Hybrid Azure AD join our domain computers, setup Azure AD conditional access and then dismiss the ADFS, while keeping AADC to sync on-prem AD object / password hash to O365. Original plan: Setup AAD hybrid join with federation domain. Windows 10 computer will auto AAD hybrid join. Setup Conditional Access rules. Change federation domain to managed domain. Change AAD hybrid join to managed domain. Dismiss ADFS. According to Microsoft documents: "Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to complete the device registration for hybrid Azure AD join." So I am thinking a new plan to simplify the steps: AADC sync WIndows 10 computer to AAD Setup SCP GPO to publish SCP to Windows 10 computers. Windows 10 auto do the AAD hybrid join. Setup Conditional Access rule. Change federation domain to managed domain. Dismiss ADFS. Will this migration step work? Thanks, Roy

Hi @Abhijeet-MSFT , dsregcmd show EnterprisePrt: No. Also no EnterprisePrtExpiryTime and no EnterprisePrtUpdateTime. How you know it is issued by ADFS? Attached the output of Get-AdfsRelyingPartyTrust -name "Microsoft office 365 identity platform worldwide" | FL * This is the only one Rely party in my ADFS. 66688-get-adfsrelyingpartytrust.txt

Hi @Abhijeet-MSFT , Any update?

Hi @Abhijeet-MSFT , Waiting your reply. Or let it be?

Hybrid Azure AD join computer procedure

roy lee 51

Hi All,

We have configured AADC to sync on-prem AD object / password hash to O365 with ADFS for federation and access control.

We are planning to change our O365 from federated domain to managed domain, so we can dismiss the ADFS.
It will involve Hybrid Azure AD join our domain computers, setup Azure AD conditional access and then dismiss the ADFS, while keeping AADC to sync on-prem AD object / password hash to O365.

Original plan:

Setup AAD hybrid join with federation domain.
Windows 10 computer will auto AAD hybrid join.
Setup Conditional Access rules.
Change federation domain to managed domain.
Change AAD hybrid join to managed domain.
Dismiss ADFS.

According to Microsoft documents: "Beginning with Windows 10 1803, if the instantaneous hybrid Azure AD join for a federated environment by using AD FS fails, we rely on Azure AD Connect to sync the computer object in Azure AD that's subsequently used to complete the device registration for hybrid Azure AD join."

So I am thinking a new plan to simplify the steps:

AADC sync WIndows 10 computer to AAD
Setup SCP GPO to publish SCP to Windows 10 computers.
Windows 10 auto do the AAD hybrid join.
Setup Conditional Access rule.
Change federation domain to managed domain.
Dismiss ADFS.

Will this migration step work?

Thanks,
Roy

8 answers

roy lee 51 Reputation points

2021-02-11T01:57:43.39+00:00

Hi @Abhijeet-MSFT ,

dsregcmd show EnterprisePrt: No. Also no EnterprisePrtExpiryTime and no EnterprisePrtUpdateTime. How you know it is issued by ADFS?

Attached the output of Get-AdfsRelyingPartyTrust -name "Microsoft office 365 identity platform worldwide" | FL *

This is the only one Rely party in my ADFS.

66688-get-adfsrelyingpartytrust.txt
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
roy lee 51 Reputation points

2021-02-18T06:56:15.617+00:00

Hi @Abhijeet-MSFT ,

Any update?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
roy lee 51 Reputation points

2021-03-01T09:02:14.74+00:00

Hi @Abhijeet-MSFT ,

Waiting your reply.

Or let it be?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Hybrid Azure AD join computer procedure

8 answers

Your answer