Rollout hybrid Azure AD join after Controlled validation

Question

I have 2 questions revolving around Controlled validation of hybrid Azure AD join: 1. After configuring [Hybrid Azure AD join for federated domains,][1] if i want to use Controlled validation, I assume I need to immediately [Clear the SCP from AD][2] ? 2. Once I am ready to rollout Hybrid Azure AD join after testing via Controlled validation, what is the beast practice for enabling it across the domain, repopulating the SCP in ADSI Edit by adding back the azureADId and azureADName values? [1]: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains [2]: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control#clear-the-scp-from-ad

Answer 1

Windows 10 machines first check their registry and only if there are no information there they check the SCP. So for your questions:

1. You don't even need to configure the SCP when you go through the Azure AD Connect wizard. You can just download the PowerShell script and do it later. Some organizations even have to do it this way because the admin of the Azure AD Connect servers don't necessarly have permission to write the SCP on their own. So they download the script and they send it to the AD admins.
2. You can do it manully, you can also download the script from the Azure AD Connect wizard: