Intune GPO enrollment for on-prem domain join machines with different on-prem and Azure domain names

Rookie{} 61 Reputation points
2022-04-05T19:01:34.11+00:00

Hey everyone,

We are in process of implementing intune in our org. We have an onprem domain with domainname.corp and Azure Ad domain with domainname.com

On-premdomain: domainname.corp, domainname.com(Alternate domain)
AzureADdomain: domainname.com

Everything has been working fine since this setup which was couple of years ago, syncs are happening fine and Azure syncs the user fine with domainname.com as the users UPN.

We have intune setup for auto enrollment which has been fine so far for new machine setups.

For existing machines which are joined to our on-prem AD domainname.corp, the GPO is setup and it is initiating the join to Azure AD as expected by scheduling the tasks in scheduler
The issue we are having is user UPN, where they login to the machine with username@domainname.corp and it is failing the intune enrolment in the process because the UPN is not matching with Azure.
The solution at the moment is that we need to change the User object on the On-prem AD to be able to use the alternate domain domainname.com and then user can login with that FQDN on machine.

Would like to know if anyone else is having similar problem and is there a way where we can keep the domainname.corp sign in for the user and successfully use the GPO to enroll machines.
Thank you in advance for all the help.

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,280 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,062 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 44,841 Reputation points Microsoft Vendor
    2022-04-06T01:33:55.38+00:00

    @Rookie{} , For GPO enrollment, one prerequisite is AzureAdPrt needs to be Yes.
    https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#verify-auto-enrollment-requirements-and-settings

    If the on-premises AD users UPNs are different from your Azure AD UPN, Windows 10 or newer hybrid Azure AD join provides limited support for on-premises AD UPNs based on the authentication method. We can see if our scenario is supported.
    https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join

    In some environment, to make the AzureAdPrt as Yes, we will choose the same method as yours to add the UPN suffix in on-premise domain to make it works.

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.