I am following the steps below and do not see SCP entry in AD. My goal is to setup computers with as Hybrid Azure AD join. I created the two registries.
My question, is do I need to configure the AD FS settings or the registries are sufficient?
To do a targeted deployment of hybrid Azure AD join on Windows current devices, you need to:
- Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists.
- Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO).
- If you're using Active Directory Federation Services (AD FS), you must also configure the client-side registry setting for SCP on your AD FS server using a GPO.
- You may also need to customize synchronization options in Azure AD Connect to enable device synchronization.
Clear the SCP from AD
Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SCP objects in AD.
- Launch the ADSI Edit desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
- Connect to the Configuration Naming Context of your domain.
- Browse to CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration.
- Right-click on the leaf object CN=62a0ff2e-97b9-4513-943f-0d221bd30080 and select Properties.
- Select keywords from the Attribute Editor window and select Edit.
- Select the values of azureADId and azureADName (one at a time) and select Remove.
- Close ADSI Edit.
Configure AD FS settings
If your Azure AD is federated with AD FS, you first need to configure client-side SCP using the instructions mentioned earlier by linking the GPO to your AD FS servers. The SCP object defines the source of authority for device objects. It can be on-premises or Azure AD. When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.