This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 40%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES0%3C/text%3E%3C/svg%3E)
Hello,
We are doing a co-management setup for a client who is currently not on cloud. we are getting Azure AD for the infra, and they want to install M365 office suit pack from Intune to existing domain joined Windows 10 devices. In order to get this we are enabling the co-managemnet setup with SCCM, so far below steps are done but when trying to test a Windows device, it is not getting Hybrid AD joined. Attempted manual join with Azure AD, which also seems to get broreaks halfway with no progress.
The steps performed so far
On a test device registered in Azure, a test account with license was used to sign into the device with local credentials.
The device was not joined and below event was observed in the event viewer in below path:
Applications and Services Log > Microsoft > Windows >DeviceManagement-Enterprise-Diagnostics-Provider> Admin
Request assistance to help resolve this issue and get teh setup working. Can this be because of fireall block ?
also could you help me understand if users who nevr used azure services till date, the day their account is synced to azure and license is assigned, will co-management work from their local login using AD username and password without any additional steps?
Appreciate any hep on this topic
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@svjs-0437 , In fact, Hybrid Azure AD join is one prerequisite for co-management enroll.
https://learn.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients
From your description, it seems the device is not Hybrid Azure AD joined successfully. Here, you can follow the following article to troubleshoot.
https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
For your questions, about the firewall block, you can check if the network resources in the following link are all accessible via your firewall.
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join#network-connectivity-requirements
In fact Hybrid Azure AD join device is login using on-premise domain account. But we need to ensure the on-premises AD users UPN is support for hybrid Azure AD join. Here is a link iwth more details
https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join
Meanwhile, as the issue is with Hybrid Azure AD join and we are Intune support. To get better support, I have added the tag "azure-active-directory" and "azure-ad-hybrid-identity" to see if the related support can be involved to help on this. If no, you can contact Azure AD support to get more help:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto
After the Hybrid Azure AD join device issue is fixed and all the prerequisites are met, we can plan to do co-management, we can follow the steps in the first article to do the enroll.
In your description, I notice we configure GPO. Based as I know, GPO enrollment is another method, we can choose either co-management or GPO to do the enrollment, no need for both. Here is an article with more details for the reference:
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
No, devices are not getting Hybrid joined. as i understand from the AD team, they have configured to use firstname.lastname@keyman .com as their Azure login and it means the UPN of the user does not match the primary SMTP of th euser. we tried syncing the UPN attribute for the test user to Azure which did not help.
Again when tried adding the work account manual at setting>accounts>access school or work>connect > tried entering Azure username and password. This does not finish the Azure AD join process and leave the device at just 'Azure AD Registered' state.
Do you have any recommendation/guidance to help fix this?
Note: it was mentioned that to bring in the UPN of the user account to Azure this would require reinstallation of Azure AD connect.
@svjs-0437 , Thanks for the confirmation. From your description, I know the device is failed to do Hybrid Azure Ad join, And it seems the UPN is different with the one in Azure AD. As we are not familiar with this, here we suggest to contact Azure AD support to help on this.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto
Thanks for the understanding.
Thank you for the support!
Issue stands resolved now, Azure AD team redid the AD connect setup to fix the UPN part and also there was some sync issue due to nested groups... they helped to get the device sync and it resolved!!
@svjs-0437 , Thanks for letting us know the latest status. I am glad to hear that the issue is resolved and Hybrid Azure AD join is successful. Could you also let us know if the co-management is also working now?
Thanks and look forward to your reply.
@svjs-0437
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Issue was due to device not properly syncing with Azure, post sync the setup worked fine.