Verify hybrid Azure AD join

Here are three ways to locate and verify the hybrid joined device state:

Locally on the device

  1. Open Windows PowerShell.
  2. Enter dsregcmd /status.
  3. Verify that both AzureAdJoined and DomainJoined are set to YES.
  4. You can use the DeviceId and compare the status on the service using either the Azure portal or PowerShell.

For downlevel devices, see the article Troubleshooting hybrid Azure Active Directory joined down-level devices

Using the Azure portal

  1. Go to the devices page using a direct link.
  2. Information on how to locate a device can be found in How to manage device identities using the Azure portal.
  3. If the Registered column says Pending, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle.
  4. If the Registered column contains a date/time, then hybrid Azure AD join has completed.

Using PowerShell

Verify the device registration state in your Azure tenant by using Get-MsolDevice. This cmdlet is in the Azure Active Directory PowerShell module.

When you use the Get-MSolDevice cmdlet to check the service details:

  • An object with the device ID that matches the ID on the Windows client must exist.
  • The value for DeviceTrustType is Domain Joined. This setting is equivalent to the Hybrid Azure AD joined state on the Devices page in the Azure AD portal.
  • For devices that are used in Conditional Access, the value for Enabled is True and DeviceTrustLevel is Managed.
  1. Open Windows PowerShell as an administrator.
  2. Enter Connect-MsolService to connect to your Azure tenant.

Count all Hybrid Azure AD joined devices (excluding Pending state)

(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

Count all Hybrid Azure AD joined devices with Pending state

(Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}).count

List all Hybrid Azure AD joined devices

Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

List all Hybrid Azure AD joined devices with Pending state

Get-MsolDevice -All -IncludeSystemManagedDevices | where {($_.DeviceTrustType -eq 'Domain Joined') -and (-not([string]($_.AlternativeSecurityIds)).StartsWith("X509:"))}

List details of a single device:

  1. Enter get-msoldevice -deviceId <deviceId> (This DeviceId is obtained locally on the device).
  2. Verify that Enabled is set to True.

Next steps