Windows 10 Hybrid Azure AD join targeted deployment

Question

Hi

I am following the steps below and do not see SCP entry in AD. My goal is to setup computers with as Hybrid Azure AD join. I created the two registries.
My question, is do I need to configure the AD FS settings or the registries are sufficient?

To do a targeted deployment of hybrid Azure AD join on Windows current devices, you need to:

1. Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists.
2. Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO).
3. If you're using Active Directory Federation Services (AD FS), you must also configure the client-side registry setting for SCP on your AD FS server using a GPO.
4. You may also need to customize synchronization options in Azure AD Connect to enable device synchronization.
   Clear the SCP from AD
   Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SCP objects in AD.
5. Launch the ADSI Edit desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
6. Connect to the Configuration Naming Context of your domain.
7. Browse to CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration.
8. Right-click on the leaf object CN=62a0ff2e-97b9-4513-943f-0d221bd30080 and select Properties.
9. Select keywords from the Attribute Editor window and select Edit.
10. Select the values of azureADId and azureADName (one at a time) and select Remove.
11. Close ADSI Edit.

Configure AD FS settings
If your Azure AD is federated with AD FS, you first need to configure client-side SCP using the instructions mentioned earlier by linking the GPO to your AD FS servers. The SCP object defines the source of authority for device objects. It can be on-premises or Azure AD. When client-side SCP is configured for AD FS, the source for device objects is established as Azure AD.

https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control

Answer 1

Hello @Virtual Tech ,

Thanks for reaching out.

For federated domains, you must ensure that your federation service is configured to issue the appropriate claims as detailed here (which is manual way) in addition to client-side registry setting on the ADFS server because in a federated Azure AD configuration, devices rely on AD FS to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).

Alternately, you may configure hybrid Azure AD join by utilizing Azure AD Connect for a federated environment, which establishes the necessary claims for you as outlined here. However, this option would also create a SCP item in AD, which you can manually delete later.

Hope this helps.

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

@Virtual Tech ,

Yes, the domain seems to be managed domain, and, in this case, you must ensure that Devices OU is part of synchronization scope and here are perquisites for your reference.

However, you can use Azure AD portal or PowerShell Get-MsolDomain alternatively for verifying if domain managed or federated as shown below:

Azure Portal:

PowerShell:

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

@sikumars-msft

What worked for me in a federated environment is the steps in this link. Thanks for your help.
https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control

Answer 4

@sikumars-msft - Azure AD connect User sign-in is Password Hash sync. We sync objects from on-premise AD to Azure AD. So Is that a indication is managed domain? If so, what steps are required to change the computer status in Azure, to Hybrid AD joined computers instead of Azure AD registered