Hybrid Join for large directory

Antti Lahti 1 Reputation point


We are highly interested on hybrid-joining our devices into Azure AD. As we have rather large industrial environment with lots of network segments that do not have access to internet at all, as well as rather large amount of unsupported devices (from Win XP upwards), we would like to configure hybrid join for certain devices only and ideally add more as we go. The idea is that we would hybrid-join all the new devices by adding computer object in certain OU.

Therefore I'd like to know whether the OU-filtering actually works. According to our tests, AD connect wizard for setting device sync does not include a setting for OU-filtering. Instead, afterwards you can move into "Customize synchronization options" in the AD Connect to do the filtering. We didn't check the latter before we enabled device sync in our test environment, but after we went to check the OU-filtering, and it looked like all the OUs containing computers (WIN10) were included in the sync scope even though we think those were not there before. Then we disabled the OU's we did not want to synchronize.

I have couple of questions, and if you know answer to any, please just reply:

  1. Does setting up the device sync already initiate sync or some pre-stages of the sync for ALL the devices in the AD thus making OU-filtering not usable?
  2. There are contradicting recommendations that all the devices should be synced. Why, if the OU-filtering is available?
  3. Do you see any risks associated with turning on the device sync? Considering especially if we have lots of legacy devices and some of those and also some of WIN10 devices are behind very restricted networks and thus cannot access anything outside our on-prem.
  4. If we run into sync issues, is rollback possible by removing SCP from the AD?
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,709 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,011 Reputation points

    @AnttiLahti-8160 The important thing about OU filtering is that new OUs that are created after filtering has been configured are synchronized by default. So you would have to go and manually uncheck the new OU to stop them from syncing.
    Coming to your questions :

    1) If you turn on Device Sync, the computers which are present in the OU which is allowed for sync process should only sync. Any machine which is not in configured OU, will not be synced. The whole purpose of OU filtering is to allow Admins to select what they want to synchronize. You can read more about it here.

    2) Can you share some of those recommendations, we will investigate them. Again, syncing any devices should be in control of admins. OU filtering definitely helps here.

    3) If you have a restricted network which does not allow anything outside on-prem access, you can skip those machine as doing hybrid AD join would not be preferable on those machines. The whole Idea is to get Azure AD token for those devices, but if we already know that they have such restricted network, you can keep them in an OU which is not getting synchronized.

    4) If you remove the SCP from AD, the sync for devices will obviously fail as that will not meet the basic pre-req of finding a location where the devices needs to be registered. This will keep on showing error messages in our azure AD connect tool. Best way would be to uncheck Device Sync (Hybrid Azure AD join) by running the config wizard once again.

    However, if you want to sync your machines, our suggestion would be to troubleshoot the sync issues as we come across them. A good start to troubleshoot hybrid join issue can be found here.

    If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.