Share via

Rollout hybrid Azure AD join after Controlled validation

Chabango 61 Reputation points
2021-03-29T14:15:02.39+00:00

I have 2 questions revolving around Controlled validation of hybrid Azure AD join: 1. After configuring [Hybrid Azure AD join for federated domains,][1] if i want to use Controlled validation, I assume I need to immediately [Clear the SCP from AD][2] ? 2. Once I am ready to rollout Hybrid Azure AD join after testing via Controlled validation, what is the beast practice for enabling it across the domain, repopulating the SCP in ADSI Edit by adding back the azureADId and azureADName values? [1]: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains [2]: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control#clear-the-scp-from-ad

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2021-04-03T17:15:35.69+00:00

    Windows 10 machines first check their registry and only if there are no information there they check the SCP. So for your questions:

    1. You don't even need to configure the SCP when you go through the Azure AD Connect wizard. You can just download the PowerShell script and do it later. Some organizations even have to do it this way because the admin of the Azure AD Connect servers don't necessarly have permission to write the SCP on their own. So they download the script and they send it to the AD admins.
    2. You can do it manully, you can also download the script from the Azure AD Connect wizard:

    84233-image.png

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.