Great work! Really appreciate this! It's crystal clear, and looks like an anatomy against the things behind. It saves me tons of hours reading those MS poor organized documentation. Thanks, man!
Thank you very much! Your Video and explanation ist brilliant! Your are the only one who explain the issues when the hybrid ad join is not working because of the connectivity to the urls / internet.
I love how you showed the ways we can troubleshoot the process, the detail you explain of how the process works and the concept of it. This was a great video and has set the standard for concepts work in my mind, i subscribed!
ADFS also offers device registration, and enterprise PRT is related to ADFS, please check this article for more details. docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq
I did not find info about enterprisePRT. I know abt session cookie ...acess token... My question was why enterprisePrt was set to No if it is a hydrid join... If the machine is hybrid Join, azureadprt and enterprisePRT should be YES. Please let me if my understanding is wrong
Enterprise PRT will be available, if you have implemented Device Registration of ADFS. Enterprise PRT is not required for Hybrid Azure AD join Devices.
Excellent video, Thanks for explaining the concept. Just one question, your machine is in workgroup , so how come it gets the task ? Is it there for all windows 10 machines by default and gets enabled only when it joins the domain and if hybrid AAD is enabled?
Sir you are great.. is there any way we can ever see you or meet you..it would be a great pleasure.. you have an exceptional skills to explain such difficult topics so easily
The content is really good and the way you explain the concepts is commendable. Also the settle tone of explaining the concepts helps in understanding them easily...Keep continue the good work.....Only thing that I found missing is that "content ppt" is not available anywhere for the revision purpose....If it's available somewhere please share the location. ..... Thank u.
This is an amazing video, I love how you go into detail about what is happening in the background. Certainly subscribing :) Quick question. I managed to get this far, but do you have any video on how to get them managed and into InTune after this step and after they are Hybrid joined?
Hi David, thanks for the kind words. Just wanted to understand your requirement related to intune. The device which are hybrid azure ad joined are already managed through on-prem, can you please share some more details in terms of how you want to manage the from intune.
@@ConceptsWork We are in the process of purchasing 150 laptops for staff that will be used both onsite and offsite. If they are onsite, they will be either connected via cable to our main network, or on our corporate wifi for direct access to the DCs and managed via traditional on-prem group policies etc. I am pretty new to InTune, but we want to basically make sure all of our devices are registred to InTune so that we can retain some sort of control when they are off-network too. I managed to get this working though. Initially, for those devices that are Hybrid Joined, the MDM was showing as "None". However, after making some GPO changes, my devices now are showing as Hybrid Joined with InTune as their MDM. We are not really going to configure much on InTune, but it will be nice to have the option to in the future. I hope this make sense, and I hope this is a correct use-case for InTune. BYOD devices, at the moment, we're not really expecting to get onto InTune or Azure Joined.
Great video and brilliant explanation, i have been watching few videos of different series, just one comment, in my opinion when you make series if you could number your videos then it will easier to watch all of them in order, let say intune part 1 or lecture 1, great work please keep it up
One of the greatest explanation i have ever seen, have two questions, how to trigger the scheduled task on already domain joined device, and how it will act on device is connecting from VPN ? WFH scenario
You have to ask users to use VPN, as the task to renew PRT is initiated in every unlock of the machine, also you can create a scheduled task which should trigger device registration at least 3 or 4 times a day, once the device is successfully, PRT should work as expected, but just FYI, renewal of PRT requires line of site for DC in federated environments.
The is great presentation, I subscripted, I have one question!! why you have disjoin and rejoin the devise to on prem AD, it will not work if you just enable internet to populate the certificate?
Thanks for this video. It's very helpful. If a hybrid joined device is active on the internet, is that activity registered in on-prem AD? We have a policy to disable devices that haven't been active on the domain for 3 months so I wondered if a device is hybrid joined and active on the internet, would that activity prevent the on-prem object from being disabled?
Ok. This is great. How about machines that are already on the OnPrem domain? What if I have 100 machines. Does this mean I'll have to disconnect and rejoin the domain in order for these machines to get Azure AD hybrid Joined?
Hi, Your vidoes are really informative, lets say if my domain. Joined devices are already synced to Azure AD as the device type "Azure AD registered", In this case, does this method would help us to delete the device type "Azure AD registered" and pefform the new device registration as "Hybrid AD joined" ? If this is posisble ? What will be impacts when the device is removed and registered again in azure as hybrid joined devices ? With the SCP created in Active Directory, how can we perform the phased roll out for hybrid device registration in Azure AD? Does selecting the appropriate OU's would help us with the phased roll out ? Also how can we avoid the automatic device enrollment of hybrid joined devices to microsoft intune ? Is adjusting MDM scope the only option ? Or we can keep MDM scope set to all users and adjust somewhere else in the Microsoft intune portal to avoid the auto enrollment of windows hybrid joined devices to Microsoft intune ?
Great video! What happens to a PC that is already a member of the local AD when you enable the hybrid sync and you set the policy as you suggested. Will they automatically be hybrid joined with no action from the local PC side (accept maybe a reboot)?
This applies to Windows 10 1709 or above:- "If a machine is already joined to Active Directory, the moment you enable device registration from AAD connect, the SCP of the tenant gets registered in AD, now from the next time when device registration will be triggered the machine will create the cert and save it in the machine object. When this object is synced to azure AD in next sync cycle, the user will start receiving PRT.
@@ConceptsWork when will the next time device registration trigger if the machine is already domain joined, does it happen when synchronisation cycle happen next time?
Awesome video! Quick question from me since I want to be sure I understood correctly the information. For the 4 urls, for Win10 the laptop needs to have internet access to said urls (an entry in Site to zone) is not required, while for lower OS, it is mandatory to provide the entry. Is this correct? Ty for your time, content and knowledge share!
Hi, It was a nice explanation. My Question - In an environment where win10 and win7 machines are already joined to local domain, how to initiate Hybrid setup?
Start from enabling Hybrid Azure AD join from AAD connect, make sure all the network configuration is in place. When the SCP and the network endpoints are enabled win 10 will get automatically joined. For windows 7 check this article - docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains#enable-windows-downlevel-devices
Great video. Well done! Do you know if there is a method for migrating systems from hybrid Azure AD joined to fully Azure AD joined and doesn't involve manually touching every system?
Thanks for creating and sharing such excellent content. If there are two AD connect servers (one in staged mode) is it needed to run the wizard for hybrid Azure AD join on the staged server also?
If I have a user that isnt located within the Office(DOmain LAN) but has a company laptop that was joined to the on-prem domain when the laptop was setup in the past. If I migrate my infrastructure to Azure AD how am i able to get the aformentioned user endpoint to join the new AZURE AD domain with out making the user go to an office lan.
question for you. I'm running into this issue where I keep getting this error auto MDM ENroll Get ADD Token: Device Credential (0x0) Resource url (Null)( UNknown win32 error code 0x801800b. everything work great on my lab, but in productions I can't get past that on the event viewer.
First of all, i Really appreciate your efforts!! I have one question, how we manage device which joined the already domain joined, Do we need to reconfigure it in domain? and second thing will it work for those devices which is on VPN?
Thanks. If I query AAD using get-msoldevice poweshell command, it returns a DeviceTrustType of 'Domain Joined' for a device that is listed in the portal as Hybrid AD Joined. Is this correct?
Hi, very good video! Exactly what I needed to know :) Quick question - ist it possible to use my UPN/Azure AD account to login to such a hybrid joined device?
@@ConceptsWork my current environment is a hybrid, I haven’t setup intune connector yet. will you still be able to do the manual enrollment and join machine to hybrid AD join even though you have autopilot set up? Currently my environment is small everything has been setup manually and manual AD join.
I see that the machine is azure AD join. but MDMurl and MDMtouurl are empty, how do you fix that? cause it to register with as hybrid ad join, but can't push application nor policy to it.
Tahnks for stunniung video tutorial! I'm concerned abou if my laptop goes out of enterprise network...domain authentication will work even local domain controller is not accessible? Again...if i change my password out of enterprise network it will be write back do on prem AD? thanks
hi, great video congratulations, you have been very clear in the explanation in fact I am following the whole series of azure ad on your channel. Can I ask you just one question since a detail is not clear to me? Why can you get a PRT by accessing the machine with an on-prem domain user? When the machine from on-prem is joined also to azure ad to get a PRT shouldn't you access it using an azure active directory account? You can get a PRT because your on-prem users are also synchronized with azure ad right?
PRT is per user and device specific. Regarding more details on how PRT works, please check this article - docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
Good job, but I have one question. To join a device as a hybrid AD join, is it a must to connect it to the work network? Or it can be joined remotely from home for example?
Will this method of joining sync my on prem domain joined devices to Azure AD and Intune Endpoint Manager for managing the devices from there? If not could you suggest a solution which will enable me to enroll domain joined local existing computer devices to sync to intune devices for management ?
Make sure you have enabled automatic enrollment in Endpoint manager portal and MDM scope is also set for all the users. In this case when the user will join the device to Azure AD, it will be automatically enrolled to MDM, also if you deployed the onboarding to Microsoft defender for endpoints that will also happen seamlessly.
Great Video. My question is if a device is already Azure Joined but is also part of the domain. Do I need to remove the Azure Joined Device first then follow the hybrid join process?
Even with Intune Connector, the machines must be able to contact your domain controller. Please check this article - docs.microsoft.com/en-us/mem/intune/enrollment/windows-autopilot-hybrid
@@ConceptsWork Does it means that for WFH scenario, It's not possible for on prem join domain PC and has SCCM agent to setup hybrid azure ad join without VPN? What's the best way to migrate from AD and SCCM managed to Azure AD and Intune managed for WFH scenario, PC are already join to onprem AD and installed with SCCM agent but have no VPN
Hi, Thanks for sharing this awesome content. I will appreciate if you help with my query. If my on-prem ADDS and Azure ADDS are sync with AAD connect, can i use Azure ADDS to authenticate and authorize on-prem users for internal or intranet resources. And also can i use Azure ADDS as a DR solution for On-prem ADDS. Regards, Best of Luck!!!
Great Video ! 2 questions : 1. When I get to configuration Part I don't have a option to configure SCP why ? 2. I have about 5-6 Domain Controllers in single forest. It looks like users are synchronize properly as hybrid azure joined only if there are connected to DC02. Why is that ? Is it possible to initiate hybrid joined connection even if users connect to different domain controllers ? Where do I troubleshoot this?
For the first question, which version of AAD connect you have, also make sure that you are selecting hybrid option. For 2nd question - Its not about user, its about machine object which has to be synced to Azure AD for Hybrid Azure AD join to work. If the changes are made on a dc which is not directly contacted by AAD connect, and these changes are not reflecting in Azure AD, it can be a replication issue between DC's.
Thanks a lot for the videos. Just wanted to know what happens to the machines that are already domain joined before implementing thh Hybrid Azure AD Join? Do they need to be on-prem to register or these devices can be registered over the Internet to Azure AD?
The machines must contact AD, as there is a cert which is written to the user certificate attribute of computer object. This applies to Windows 10 1709 or above:- "If a machine is already joined to Active Directory, the moment you enable device registration from AAD connect, the SCP of the tenant gets registered in AD, now from the next time when device registration will be triggered the machine will create the cert and save it in the machine object. When this object is synced to azure AD in next sync cycle, the user will start receiving PRT.
@@ConceptsWork Thank you for the information. So, once I enable the device registration from AAD connect, in order to get the Certificate the Machine must contact the on Prem Domain Controller for first time? Once thats done it can be offsite? How about service password reset? Is that the same case well? Thank you again
Thank you so much for taking the time to make the video. Got a question tough, My devices are hybrid joined & can see them OK in Azure AD. Issue is that I cannot login with a user on the machine if not connected to the local domain. My understanding would be that if the domain is not available, then users should be able to authenticate via Azure AD?
PRT is token that is device specific - docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#:~:text=A%20Primary%20Refresh%20Token%20(PRT,applications%20used%20on%20those%20devices.
Hello, its me again, what if i have a domain joined devices that i want to hybri joined. will i need to take them out of the domain and rejoined to get the Usercertificate populated?
No, once the hybrid process is completed, I mean the machine is able to contact the respective endpoints, user certificate attribute will be populated.
@@ConceptsWork Meaning so they can be contacted by Down level devices? but for devices that are Windows 10 and updated those 4 URL's must be whitelisted in the network? My device can contact the 2 out for 4 URL"S . For enterpriseregistration.windows.net/ i get error endpoint not availble. I appreciate your help.
We have done configuration in azure ad connect with all prerequisites met.Will the device registration be pending in portal until user login to client machine to complete hybrid join?? Or automatically the device registration gets completed after certian period of time in Azure portal and the client machine will be hybrid join??
The activity timestamp will only be populated when there is a valid PRT on the device. As soon as the device is synced from on-prem, portal shows that device as hybrid, but the activity time stamp also has to be populated.
I can see you joined one machine in Hybrid Azure AD but what if i have 100 or 500 client machines in my organization to join Hybrid Azure AD. do i need to go and join them manually to Azure Ad domain ? also process will be same for client machine and windows servers ?
You mention that Seamless SSO is a requirement. I've not found that listed as a pre-req in the Microsoft documentation. Could you please help me understand why this is needed?
Enable Windows down-level devices If some of your domain-joined devices are Windows down-level devices, you must: Configure the local intranet settings for device registration Configure seamless SSO Install Microsoft Workplace Join for Windows down-level computers -docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
@@ConceptsWork that's great. Thank you for answering my questions, you've been a great help. Your video's are really useful, thanks for putting them up.
How do you make the Is it possible to register domain joint PC as hybrid azure ad joined from vpn access or internet run the join after a device is on VPN automaticlly?
Hi, appreciate the efforts taken to create this awesome video giving guidance around Hybrid AAD join. Is there a possibility that an device has been Hybrid AAD joined but failed to get the PRT? I have a set of devices where Hello provisioning is getting failed and the device state for those devices is Hybrid AAD joined but has failed to get the PRT. Any thoughts?
Infact, I just did an repro in my personal tenant and it is exactly the same. I set the GPO to trust all the sites specified in the documentation as well as your video, my AAD Connect is configured for the Hybrid AAD Join with Passthrough Authentication and SSO Enabled. Also, I can see my Computer Object being synced to the Cloud and when I join my machine to the domain, I can see the User device registration logs confirming that the device has been joined but while checking the dsregcmd status it shows that it has not obtained any PRT but the device is joined to AAD. Your technical insights would help me solve issue in my personal tenant as well as Production. The only difference in my prod is we are using Federated Domain and in personal I am using Managed. Thanks a lot in advance!!
Hello Ganesh, Thanks for being so responsive on all our videos, please reach us on learnconceptswork@gmail.com, and we will resolve this issue. Regards, Conceptswork.
![สาวเมืองเพชร - ธีเดช ทองอภิชาติ [Official MV]](http://i.ytimg.com/vi/kEt7F9PvO3I/mqdefault.jpg)
Better than most PAID teachers honestly
Thanks for your acknowledgement.
Possibly the most concise but informative video I've ever seen on TH-cam. Very very well done.
Great work! Really appreciate this! It's crystal clear, and looks like an anatomy against the things behind. It saves me tons of hours reading those MS poor organized documentation. Thanks, man!
Thank you for your kind words.
Thank you very much!
Your Video and explanation ist brilliant!
Your are the only one who explain the issues when the hybrid ad join is not working because of the connectivity to the urls / internet.
Glad it helped!
I love how you showed the ways we can troubleshoot the process, the detail you explain of how the process works and the concept of it. This was a great video and has set the standard for concepts work in my mind, i subscribed!
Glad it was helpful!
Watching this for the third time and it’s great quality work. Thank you again.
Glad you enjoy it!
thanks a LOT!!!! for this great tutorial - deep explained of the overall hybrid process and component.
learned a lot :)
very impressed and happy with the level of explanation you have provided in this video. Getting to learn quite a few things
This is deep dive about behind the scene of Azure Hybrid Join thanks for such video
Beautifully explained. Thank you so much for sharing your knowledge.
Best technical deep dive in Azure AD Hybrid Join
Outstanding explanation. Please keep publishing these videos!
Great Contribution and very well explained ... awesome tutorial ..
Nice explanation 👌👍
This was so amazing. Very well thought of and covered every aspect of HADDJ. Thanks,
Glad you enjoyed it!
Great contribution to the learners and videos are really useful
Love hearing you.. crisp and clear.
Wonderful video. well explained
Awesome!! What you explained from 13:14 is exactly what I needed to know! Thanks
Outstanding presentation and attention to detail. Thank you
Outstanding presentation and attention to detail. This video made me subscribe to your channel. Well done.
great..please do continue azure and adfs..u look like an expert..great content
Thanks for your kind words.
@@ConceptsWork for hybrid join ..enterpriseprt should be yes, but in your video I see as NO , Could you please explain
ADFS also offers device registration, and enterprise PRT is related to ADFS, please check this article for more details.
docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq
I did not find info about enterprisePRT.
I know abt session cookie ...acess token...
My question was why enterprisePrt was set to No if it is a hydrid join...
If the machine is hybrid Join, azureadprt and enterprisePRT should be YES.
Please let me if my understanding is wrong
Enterprise PRT will be available, if you have implemented Device Registration of ADFS.
Enterprise PRT is not required for Hybrid Azure AD join Devices.
Quality Stuff.. very nice deep dive👍
Glad you liked it
excellent explanation
Excellent video, Thanks for explaining the concept. Just one question, your machine is in workgroup , so how come it gets the task ? Is it there for all windows 10 machines by default and gets enabled only when it joins the domain and if hybrid AAD is enabled?
Simple, Brief, and Very Clear
Thanks for sharing such informative videos
Another great technical video.
Do you work for Microsoft?
Great video, with some good tips, thanks very much for taking the time to create and post :)
Glad it helped.
I hope before post the each video. I could see your hard work. Keep post the new videos.
That's the plan! :-)
very nice class
Excellent video... The way he explain things is awesome
Thank you..!!
Sir you are great.. is there any way we can ever see you or meet you..it would be a great pleasure.. you have an exceptional skills to explain such difficult topics so easily
The content is really good and the way you explain the concepts is commendable. Also the settle tone of explaining the concepts helps in understanding them easily...Keep continue the good work.....Only thing that I found missing is that "content ppt" is not available anywhere for the revision purpose....If it's available somewhere please share the location.
..... Thank u.
Hi Kanika, though there is a membership, for this, but if it is only this PPT that you need, please send us an email at learnconceptswork@gmail.com
Great guide !!! Thank you very much.
Glad it helped!
This is an amazing video, I love how you go into detail about what is happening in the background. Certainly subscribing :)
Quick question. I managed to get this far, but do you have any video on how to get them managed and into InTune after this step and after they are Hybrid joined?
Hi David, thanks for the kind words.
Just wanted to understand your requirement related to intune.
The device which are hybrid azure ad joined are already managed through on-prem, can you please share some more details in terms of how you want to manage the from intune.
@@ConceptsWork We are in the process of purchasing 150 laptops for staff that will be used both onsite and offsite. If they are onsite, they will be either connected via cable to our main network, or on our corporate wifi for direct access to the DCs and managed via traditional on-prem group policies etc.
I am pretty new to InTune, but we want to basically make sure all of our devices are registred to InTune so that we can retain some sort of control when they are off-network too.
I managed to get this working though. Initially, for those devices that are Hybrid Joined, the MDM was showing as "None". However, after making some GPO changes, my devices now are showing as Hybrid Joined with InTune as their MDM. We are not really going to configure much on InTune, but it will be nice to have the option to in the future. I hope this make sense, and I hope this is a correct use-case for InTune.
BYOD devices, at the moment, we're not really expecting to get onto InTune or Azure Joined.
Thank you for such as in depth explanation.
Glad it was helpful!
Great video and brilliant explanation, i have been watching few videos of different series, just one comment, in my opinion when you make series if you could number your videos then it will easier to watch all of them in order, let say intune part 1 or lecture 1, great work please keep it up
Great suggestion!
Clear Explanation ...thanks a lot
Awesome explanation 👏🏼👏🏼
Glad you liked it!
Nice Informative Video !
Glad you liked it!
Brilliant. Thanks for sharing this. Subscribed.
Great work..indeed..Could you pls explain on how to go AD configuration partition using adsi edit ? Appreciated...
Great sir, thank you very much.
great video thanks for your efforts
Glad you enjoyed it
One of the greatest explanation i have ever seen, have two questions, how to trigger the scheduled task on already domain joined device, and how it will act on device is connecting from VPN ? WFH scenario
You have to ask users to use VPN, as the task to renew PRT is initiated in every unlock of the machine, also you can create a scheduled task which should trigger device registration at least 3 or 4 times a day, once the device is successfully, PRT should work as expected, but just FYI, renewal of PRT requires line of site for DC in federated environments.
Instantly subscribed :) beautifully explained Sir. Do you also have ADFS tutorials ?
th-cam.com/play/PL8wOlV8Hv3o9uHl0XFfI6_katp6BXNVjb.html
The is great presentation, I subscripted, I have one question!! why you have disjoin and rejoin the devise to on prem AD, it will not work if you just enable internet to populate the certificate?
yes, i have the same question. seems a little confusing and hoping don't have disjoin machines to get ADHybrid join to work.
Fantastic videos !
Great video! Can't dive deeper!
thanks for making these great videos
Thanks for this video. It's very helpful. If a hybrid joined device is active on the internet, is that activity registered in on-prem AD? We have a policy to disable devices that haven't been active on the domain for 3 months so I wondered if a device is hybrid joined and active on the internet, would that activity prevent the on-prem object from being disabled?
Ok. This is great. How about machines that are already on the OnPrem domain? What if I have 100 machines. Does this mean I'll have to disconnect and rejoin the domain in order for these machines to get Azure AD hybrid Joined?
U nailed thank you so muchhhhhhh
Hi, Your vidoes are really informative, lets say if my domain. Joined devices are already synced to Azure AD as the device type "Azure AD registered", In this case, does this method would help us to delete the device type "Azure AD registered" and pefform the new device registration as "Hybrid AD joined" ? If this is posisble ? What will be impacts when the device is removed and registered again in azure as hybrid joined devices ?
With the SCP created in Active Directory, how can we perform the phased roll out for hybrid device registration in Azure AD? Does selecting the appropriate OU's would help us with the phased roll out ?
Also how can we avoid the automatic device enrollment of hybrid joined devices to microsoft intune ? Is adjusting MDM scope the only option ? Or we can keep MDM scope set to all users and adjust somewhere else in the Microsoft intune portal to avoid the auto enrollment of windows hybrid joined devices to Microsoft intune ?
Great video! What happens to a PC that is already a member of the local AD when you enable the hybrid sync and you set the policy as you suggested. Will they automatically be hybrid joined with no action from the local PC side (accept maybe a reboot)?
This applies to Windows 10 1709 or above:-
"If a machine is already joined to Active Directory, the moment you enable device registration from AAD connect, the SCP of the tenant gets registered in AD, now from the next time when device registration will be triggered the machine will create the cert and save it in the machine object.
When this object is synced to azure AD in next sync cycle, the user will start receiving PRT.
@@ConceptsWork okay, so i don't have to disjoin the machine and rejoin it just like what you did right?
@@ConceptsWork when will the next time device registration trigger if the machine is already domain joined, does it happen when synchronisation cycle happen next time?
WOW YOU ARE THE BEST!!!! ❤
Awesome video! Quick question from me since I want to be sure I understood correctly the information. For the 4 urls, for Win10 the laptop needs to have internet access to said urls (an entry in Site to zone) is not required, while for lower OS, it is mandatory to provide the entry. Is this correct? Ty for your time, content and knowledge share!
Yes, for windows down level devices, all these links should be added as seamless sso is one of the pre-reqs.
@@ConceptsWork oh! so if all my devices are windows 10, then no need to add these URLs?
Hi, It was a nice explanation. My Question - In an environment where win10 and win7 machines are already joined to local domain, how to initiate Hybrid setup?
Start from enabling Hybrid Azure AD join from AAD connect, make sure all the network configuration is in place.
When the SCP and the network endpoints are enabled win 10 will get automatically joined.
For windows 7 check this article - docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains#enable-windows-downlevel-devices
What steps would have I have to setup if I WASN'T seeing AzureADPRT:YES, and instead it said NO?
It's a great guide video.
Great video!
Great video. Well done!
Do you know if there is a method for migrating systems from hybrid Azure AD joined to fully Azure AD joined and doesn't involve manually touching every system?
As of now there is no method to Migrate machines from on-prem to Azure AD.
@@ConceptsWork unless you want everything fresh or user 3rd party tools to migrate user profiles. am i right?
Thanks for creating and sharing such excellent content. If there are two AD connect servers (one in staged mode) is it needed to run the wizard for hybrid Azure AD join on the staged server also?
Yes, this will keep the configuration file, identitical on all the servers.
How do you remove old management objects before you add the new HAAD joined process?
If I have a user that isnt located within the Office(DOmain LAN) but has a company laptop that was joined to the on-prem domain when the laptop was setup in the past. If I migrate my infrastructure to Azure AD how am i able to get the aformentioned user endpoint to join the new AZURE AD domain with out making the user go to an office lan.
If I want to have my device listed on AAD but use a different IDP like Okta, will I have to rejoin those machines if I switch from AAD IDP to Okta?
question for you. I'm running into this issue where I keep getting this error
auto MDM ENroll Get ADD Token: Device Credential (0x0) Resource url (Null)( UNknown win32 error code 0x801800b.
everything work great on my lab, but in productions I can't get past that on the event viewer.
First of all, i Really appreciate your efforts!! I have one question, how we manage device which joined the already domain joined, Do we need to reconfigure it in domain? and second thing will it work for those devices which is on VPN?
Thanks. If I query AAD using get-msoldevice poweshell command, it returns a DeviceTrustType of 'Domain Joined' for a device that is listed in the portal as Hybrid AD Joined. Is this correct?
Yes that's correct.
Hi, very good video! Exactly what I needed to know :) Quick question - ist it possible to use my UPN/Azure AD account to login to such a hybrid joined device?
Unfortunately not, as the authentication authority for users is still on-prem AD.
Great Video, assuming since this manual enrolled, but if I want to autopilot i would need to install the intune connector?
Yes with auto pilot you need connector and line of site of DC.
@@ConceptsWork my current environment is a hybrid, I haven’t setup intune connector yet. will you still be able to do the manual enrollment and join machine to hybrid AD join even though you have autopilot set up? Currently my environment is small everything has been setup manually and manual AD join.
I see that the machine is azure AD join. but MDMurl and MDMtouurl are empty, how do you fix that? cause it to register with as hybrid ad join, but can't push application nor policy to it.
Tahnks for stunniung video tutorial! I'm concerned abou if my laptop goes out of enterprise network...domain authentication will work even local domain controller is not accessible? Again...if i change my password out of enterprise network it will be write back do on prem AD? thanks
hi,
great video congratulations, you have been very clear in the explanation in fact I am following the whole series of azure ad on your channel.
Can I ask you just one question since a detail is not clear to me? Why can you get a PRT by accessing the machine with an on-prem domain user?
When the machine from on-prem is joined also to azure ad to get a PRT shouldn't you access it using an azure active directory account? You can get a PRT because your on-prem users are also synchronized with azure ad right?
PRT is per user and device specific.
Regarding more details on how PRT works, please check this article - docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
Can we join windows server to Azure AD without Azure ADDS and OnpremADDS infra.
Join type information is blank on azure portal, may I know the reason.
Hello, is this possoble for Windows E3 Subcription despite joined to local domain?
Good job, but I have one question. To join a device as a hybrid AD join, is it a must to connect it to the work network? Or it can be joined remotely from home for example?
The machine must have line of site to DC, which in turns fall back to connectivity to on-prem network.
Can you view the certificate in certificate store ? I don’t see it in machine private
Will this method of joining sync my on prem domain joined devices to Azure AD and Intune Endpoint Manager for managing the devices from there? If not could you suggest a solution which will enable me to enroll domain joined local existing computer devices to sync to intune devices for management ?
Make sure you have enabled automatic enrollment in Endpoint manager portal and MDM scope is also set for all the users. In this case when the user will join the device to Azure AD, it will be automatically enrolled to MDM, also if you deployed the onboarding to Microsoft defender for endpoints that will also happen seamlessly.
Great Video. My question is if a device is already Azure Joined but is also part of the domain. Do I need to remove the Azure Joined Device first then follow the hybrid join process?
A device which is domain joined cannot be manually Azure AD joined from settings pane.
Please make a detailed video on how a device get PRT.
Great stuff thanks a lot. My question is "Is it possible to register domain joint PC as hybrid azure ad joined from vpn access or internet?"
Even with Intune Connector, the machines must be able to contact your domain controller.
Please check this article - docs.microsoft.com/en-us/mem/intune/enrollment/windows-autopilot-hybrid
@@ConceptsWork Does it means that for WFH scenario, It's not possible for on prem join domain PC and has SCCM agent to setup hybrid azure ad join without VPN?
What's the best way to migrate from AD and SCCM managed to Azure AD and Intune managed for WFH scenario, PC are already join to onprem AD and installed with SCCM agent but have no VPN
Hi,
Thanks for sharing this awesome content. I will appreciate if you help with my query.
If my on-prem ADDS and Azure ADDS are sync with AAD connect, can i use Azure ADDS to authenticate and authorize on-prem users for internal or intranet resources.
And also can i use Azure ADDS as a DR solution for On-prem ADDS.
Regards,
Best of Luck!!!
Great Video ! 2 questions :
1. When I get to configuration Part I don't have a option to configure SCP why ?
2. I have about 5-6 Domain Controllers in single forest. It looks like users are synchronize properly as hybrid azure joined only if there are connected to DC02. Why is that ? Is it possible to initiate hybrid joined connection even if users connect to different domain controllers ? Where do I troubleshoot this?
For the first question, which version of AAD connect you have, also make sure that you are selecting hybrid option.
For 2nd question - Its not about user, its about machine object which has to be synced to Azure AD for Hybrid Azure AD join to work.
If the changes are made on a dc which is not directly contacted by AAD connect, and these changes are not reflecting in Azure AD, it can be a replication issue between DC's.
If i create AD and a client vm in hyper v and use default switch for network will this whole thing work
can we do hybrid AD JOIN for windows server 2019(Instead of windows 10)?
Yes, you can.
Thanks a lot for the videos. Just wanted to know what happens to the machines that are already domain joined before implementing thh Hybrid Azure AD Join? Do they need to be on-prem to register or these devices can be registered over the Internet to Azure AD?
The machines must contact AD, as there is a cert which is written to the user certificate attribute of computer object.
This applies to Windows 10 1709 or above:-
"If a machine is already joined to Active Directory, the moment you enable device registration from AAD connect, the SCP of the tenant gets registered in AD, now from the next time when device registration will be triggered the machine will create the cert and save it in the machine object.
When this object is synced to azure AD in next sync cycle, the user will start receiving PRT.
@@ConceptsWork Thank you for the information. So, once I enable the device registration from AAD connect, in order to get the Certificate the Machine must contact the on Prem Domain Controller for first time? Once thats done it can be offsite? How about service password reset? Is that the same case well?
Thank you again
perfect
Thank you so much for taking the time to make the video. Got a question tough, My devices are hybrid joined & can see them OK in Azure AD. Issue is that I cannot login with a user on the machine if not connected to the local domain. My understanding would be that if the domain is not available, then users should be able to authenticate via Azure AD?
No, the first authentication will be sent to Local AD itself.
@@ConceptsWork, so it is not possible.. I would have thought otherwise being Hybrid!
My device is showing hybrid ad join but i can't manage it from intune still.
There must be PRT on the device and verify is the GPO has reached the device.
@@ConceptsWork thanks for your reply but what's a PRT?
PRT is token that is device specific - docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#:~:text=A%20Primary%20Refresh%20Token%20(PRT,applications%20used%20on%20those%20devices.
@@ConceptsWork thanks much! let me read this. i'm scratching my head since.
so no gpo to device join to azure?
Hello,
its me again, what if i have a domain joined devices that i want to hybri joined. will i need to take them out of the domain and rejoined to get the Usercertificate populated?
No, once the hybrid process is completed, I mean the machine is able to contact the respective endpoints, user certificate attribute will be populated.
Hello,
I have a question, will adding the 4 url endpoints into gpo will let them access the urls?
No, adding these url's to GPO will add them to local intranet zone. The access to these URL's should be whitelisted at the network.
@@ConceptsWork Meaning so they can be contacted by Down level devices? but for devices that are Windows 10 and updated those 4 URL's must be whitelisted in the network? My device can contact the 2 out for 4 URL"S . For enterpriseregistration.windows.net/ i get error endpoint not availble. I appreciate your help.
One more thing, will the SCP be installed after the AD sync configuration? or it should be there by default?
Can we expect more Azure Security videos AZ 50
We have done configuration in azure ad connect with all prerequisites met.Will the device registration be pending in portal until user login to client machine to complete hybrid join?? Or automatically the device registration gets completed after certian period of time in Azure portal and the client machine will be hybrid join??
The activity timestamp will only be populated when there is a valid PRT on the device.
As soon as the device is synced from on-prem, portal shows that device as hybrid, but the activity time stamp also has to be populated.
I can see you joined one machine in Hybrid Azure AD but what if i have 100 or 500 client machines in my organization to join Hybrid Azure AD. do i need to go and join them manually to Azure Ad domain ? also process will be same for client machine and windows servers ?
No, you don't have to do it manually, if all the config is in place as well as machines get line of site to DC, it will work as expected.
You mention that Seamless SSO is a requirement. I've not found that listed as a pre-req in the Microsoft documentation. Could you please help me understand why this is needed?
Enable Windows down-level devices
If some of your domain-joined devices are Windows down-level devices, you must:
Configure the local intranet settings for device registration
Configure seamless SSO
Install Microsoft Workplace Join for Windows down-level computers
-docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
@@ConceptsWork ah ok, so if there's no requirement to support down-level devices then we wont need seamless SSO?
Yes from windows 1803, it is not required that's what I have experienced.
@@ConceptsWork that's great. Thank you for answering my questions, you've been a great help. Your video's are really useful, thanks for putting them up.
How do you make the Is it possible to register domain joint PC as hybrid azure ad joined from vpn access or internet run the join after a device is on VPN automaticlly?
You can ask users to remain connect on VPN for some days and get a gpo created which should trigger dsregcmd task at least 3-4 times a day.
Hi, appreciate the efforts taken to create this awesome video giving guidance around Hybrid AAD join. Is there a possibility that an device has been Hybrid AAD joined but failed to get the PRT? I have a set of devices where Hello provisioning is getting failed and the device state for those devices is Hybrid AAD joined but has failed to get the PRT. Any thoughts?
Infact, I just did an repro in my personal tenant and it is exactly the same. I set the GPO to trust all the sites specified in the documentation as well as your video, my AAD Connect is configured for the Hybrid AAD Join with Passthrough Authentication and SSO Enabled. Also, I can see my Computer Object being synced to the Cloud and when I join my machine to the domain, I can see the User device registration logs confirming that the device has been joined but while checking the dsregcmd status it shows that it has not obtained any PRT but the device is joined to AAD. Your technical insights would help me solve issue in my personal tenant as well as Production. The only difference in my prod is we are using Federated Domain and in personal I am using Managed.
Thanks a lot in advance!!
Hello Ganesh,
Thanks for being so responsive on all our videos, please reach us on learnconceptswork@gmail.com, and we will resolve this issue.
Regards,
Conceptswork.
Hello Ganesh, what are your findings after checking with concept team. I had a similar issue. Any inputs from your end is highly appreciated.
@@jadhav44 any inputs from concept team regarding your issue, as I have seen a similar situation at my end.