The claims in the Adfs are created automatically with the Ad Connect wizard when configuring the hybrid options, or you have to create them manually ?Thank you.
If you have deployed adfs from aad connect the claims will be created automatically, but if you have deplolyed adfs and aad connect individually, then you have manually create claim rules.
Hi, I have two forests under one tenant. Recently we migrated some user mailboxes from different organization and they have their email address not matched with the domain name where we migrated. Only the migrated mailbox user laptops are showing as pending in hybrid domain join. How can I write down 6th claim rules in this scenario.
All devices in tenant are already azure ad registered(onprem+workplace joined) .if i enable entra hybrid join in entra connect it will automatically convert to entra hybrid join or i have to manually remove the azure ad registered state and then enable for entra hybrid join
I could not understand differnce between this and previous video... its on federated but many things are same.. could you please let me know how you have configured claims in adfs
@concepts work, Client device are joined to Azure AD and Intune. Now when we try to join the device to On-premises AD with AD admin and we get error. Can you please guide me how to join a device to On-premises AD which is already Azure AD joined and Intune compliance.
@@ConceptsWork Thanks for the update. If we remove device from Azure AD, will device also goes out from Intune ? After we remove device from Azure AD and before rejoin to On-premises AD and Azure AD do we need rename the hostname of the device ?
Make sure that the device is completely removed from the all the three resources, Azure AD, local AD and Microsoft Intune, before re-imaging and join the machine back to local ad and syncing to Azure AD, other wise there will be stale entries. The fundamental idea is more over related to object guid, of the device.
Thank you for the great video and explanation. I heart that if you are in a federated domain with ADFS, once your devices can discover the SCP, they auto-register with Azure AD without even having the computer account already synchronized in Azure AD. is that correct? is there any document or video that explains that? Thank you
Please watch this - th-cam.com/video/2uwSSIxoEnU/w-d-xo.html Also check this article - docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
Hi Bruce, you are correct. You don't need ADConnect to synchronize the object for a successful hybrid join. ADFS can handle that for you. However, if somehow ADFS fails to create the object in Azure AD, the machine will fallback on the sync option. In order to let this work, you have to enable synchronization for that particular computer object in ADconnect. But in the end, that is optional.
@@mojo3717 Hey Peter, glad i found this comment...would this explain why my Hybrid domain join devices aren't syncing...meaning if i disable the onprem AD computer, nothing happens to the Azure AD device object. I read somewhere if you're running Hybrid Domain AD Join with ADFS, the syncing will not work...(especially not ideal for managing stale devices)
Thanks for the informative video. For the claims required for federated domains, are those only required for environments that use ADFS? If you use an Identity provider other than ADFS, are those claim rules still needed?
Hello sir I have one question While configuring the hybrid joined for downlevel device the option is greyed out for us and asking to enable seamless sso Can we hybrid joined the downlevel devices without enabling the seamless sso Or do we need to enable it In my test machine when i have tested the option is enable after enabling the seamless sso Thanks
Awesome videos, could you please let me know if you have uploaded application integration and Azure powershell videos as well ? could you please provide url if yes..
Thank you for the great content. I get this error message from the Azure AD Connect wizard when trying to configure: An error occurred while executing the 'Update-MsolFederatedDomain' command. MSIS7612: Each identifier for a relying party trust must be unique across all relying party trusts in AD FS configuration. ---> System.Management.Automation.RemoteException: MSIS7612: Each identifier for a relying party trust must be unique across all relying party trusts in AD FS configuration. Does this mean I need to configure the relying party trust for Azure AD on my AD FS server? Thanks for any advice.
As per this error message, there are multiple entries of the same identifier, and being honest, I have never seen this behavior, as ADFS will not allow you to save the duplicate Identifier values. To be sure about it, please check the identifier field of every relying party trust.
your videos very helpful and structured well. Thank you so much! I have probably stupid question.... probably not related to this. Does Hybrid Azure AD Join device has ability to login to windows outside of corporate network? In my case I setup Hybrid AD Joined device and windows hello for business key based trust model. Inside corp network all work absolutely amazed but if i change network to internet then I have error that i cannot login.
@@ConceptsWork thanks for answer. So, lets skip part about WHFB and imagine computer hybrid azure joined. Let's also imagine that I have group policy to remove "Logon Cache" (Interactive logon: Number of previous logons to cache (in case domain controller is not available) = 0). Would I able to logon to my computer outside organization?
Thanks for the great videos. Please i have something i hope you can help me with. I want users to be able to authenticate against the azure AD to login to windows 10 device which is hybrid azure AD join instead of on-prem DC. I want to achieve this so that remote users can still authenticate when the device is on another network. Please Can i used ADFS to achieve this?
Thank you for this useful video. I am having issue understanding one concept and I am wondering if you could help me out. After joining my device to azure ad in hybrid mode, I intially had issues getting the EnterprisePrt token. After some changes to the Azure AD Connect setup ADFS environment that included initialising device registration using the Initialize-ADDeviceRegistration command, enabling device writeback via AD Connect and enabling device registration with Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true, I managed to get a token. I had to follow the stops from docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg which confused me enough already as I wasn't enabling WH4B and considering I had AD FS setup automatically, I expected no additional configuration needed after running the enable hybrid domain join in the AD Connect Tool) Unfortunately, the PRT token doesn't seem to work for AD FS when connecting externally from my joined laptop and using the Edge (Chromium) browser. Using IE and legacy Edge, I am able to pass through AD FS authentication just fine. I am using the AD FS Xray tool as a relying trust party for AD FS. My question is, what is the role of the EnterprisePrt token? I'm unable to find any documentation on it that would be applicable to the AD FS and Hybrid Azure Join scenario. I simply expected that with the hybrid join, I could take my device outside the network and enjoy seamless Azure AD logon (which works in both IE and legacy/chromium Edge) and seamless AD FS logon (which doesn't work with the Chromium edge but works in IE and I can see the PRT password claim). Thanks
Enteprise PRT is not required for Azure AD SSO. Enterprise PRT is show when you are using ADFS device registration. What you have to check is, if the machine is hybrid azure AD join Azure AD PRT is showing as yes or not. If you are not getting Azure AD prt, then only you will experience SSO issues.
@@ConceptsWork thanks. Turns out the root cause is that Edge (Chromium) doesn't support Enterprise PRT yet. This explains why Azure PRT worked fine. In my case, both enterprise prt and azure ad prt are set to yes. Unfortunately, due to Edge's lack of support of the Enterprise PRT I did a bit of a workaround and federated ADFS back to Azure AD as an IDP and with come claims magic, I was able to get ADFS SSO with Azure AD as IDP which means SSO even when the enterprise PRT isn't working. This means my ADFS federated apps can now authenticate seamlessly even on my phone which is a registered device or on my PC with Chrome when the Office addon is installed as that adds Azure PRT support :) Thanks
How much valuable this channel, its should be more than 1lac subscribers.
Guys please keep sharing this.
This is a gem of channel...
Any chance you can show the differences involved if the domain is federated via SAML2.0?
Your videos are an absolute joy to watch, thanks for sharing!
Glad you like them!
WOW, although it is complicated but brilliantly explained, Thank you.
explained very deep thanks.....
UserCertificates ADComputer object's attribute is populated only if scp (ad or client side) is configured
Thanks for the informative video. In a federated environment, is it mandatory to use win HTTP proxy if we are not using wpad?
The claims in the Adfs are created automatically with the Ad Connect wizard when configuring the hybrid options, or you have to create them manually ?Thank you.
If you have deployed adfs from aad connect the claims will be created automatically, but if you have deplolyed adfs and aad connect individually, then you have manually create claim rules.
That's brilliant, Thanks a lot - well explained
Glad it was helpful!
Hi,
I have two forests under one tenant.
Recently we migrated some user mailboxes from different organization and they have their email address not matched with the domain name where we migrated. Only the migrated mailbox user laptops are showing as pending in hybrid domain join. How can I write down 6th claim rules in this scenario.
All devices in tenant are already azure ad registered(onprem+workplace joined) .if i enable entra hybrid join in entra connect it will automatically convert to entra hybrid join or i have to manually remove the azure ad registered state and then enable for entra hybrid join
Thanks please do more ❤️
I could not understand differnce between this and previous video... its on federated but many things are same.. could you please let me know how you have configured claims in adfs
Please check this article.
docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual
Super! Very well explained. Thank you.
@concepts work, Client device are joined to Azure AD and Intune. Now when we try to join the device to On-premises AD with AD admin and we get error. Can you please guide me how to join a device to On-premises AD which is already Azure AD joined and Intune compliance.
Currently a machine joined to Azure AD cannot be joined to Local AD.
@@ConceptsWork Thanks for the update. If we remove device from Azure AD, will device also goes out from Intune ? After we remove device from Azure AD and before rejoin to On-premises AD and Azure AD do we need rename the hostname of the device ?
Make sure that the device is completely removed from the all the three resources, Azure AD, local AD and Microsoft Intune, before re-imaging and join the machine back to local ad and syncing to Azure AD, other wise there will be stale entries.
The fundamental idea is more over related to object guid, of the device.
how to add the devices in Intune?
Thank you for the great video and explanation.
I heart that if you are in a federated domain with ADFS, once your devices can discover the SCP, they auto-register with Azure AD without even having the computer account already synchronized in Azure AD. is that correct? is there any document or video that explains that?
Thank you
Please watch this - th-cam.com/video/2uwSSIxoEnU/w-d-xo.html
Also check this article - docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
Hi Bruce, you are correct. You don't need ADConnect to synchronize the object for a successful hybrid join. ADFS can handle that for you. However, if somehow ADFS fails to create the object in Azure AD, the machine will fallback on the sync option. In order to let this work, you have to enable synchronization for that particular computer object in ADconnect. But in the end, that is optional.
@@mojo3717 Hey Peter, glad i found this comment...would this explain why my Hybrid domain join devices aren't syncing...meaning if i disable the onprem AD computer, nothing happens to the Azure AD device object. I read somewhere if you're running Hybrid Domain AD Join with ADFS, the syncing will not work...(especially not ideal for managing stale devices)
Thanks for the informative video. For the claims required for federated domains, are those only required for environments that use ADFS? If you use an Identity provider other than ADFS, are those claim rules still needed?
These claims must be present even if you are using any other Identity Provider.
can you share the claim rules please
Hello sir
I have one question
While configuring the hybrid joined for downlevel device the option is greyed out for us and asking to enable seamless sso
Can we hybrid joined the downlevel devices without enabling the seamless sso
Or do we need to enable it
In my test machine when i have tested the option is enable after enabling the seamless sso
Thanks
For down leavel devices, seamless sso is a pre req.
Awesome videos, could you please let me know if you have uploaded application integration and Azure powershell videos as well ? could you please provide url if yes..
th-cam.com/video/JaCe-T5rvV8/w-d-xo.html
Thank you for the great content. I get this error message from the Azure AD Connect wizard when trying to configure:
An error occurred while executing the 'Update-MsolFederatedDomain' command. MSIS7612: Each identifier for a relying party trust must be unique across all relying party trusts in AD FS configuration. ---> System.Management.Automation.RemoteException: MSIS7612: Each identifier for a relying party trust must be unique across all relying party trusts in AD FS configuration.
Does this mean I need to configure the relying party trust for Azure AD on my AD FS server?
Thanks for any advice.
As per this error message, there are multiple entries of the same identifier, and being honest, I have never seen this behavior, as ADFS will not allow you to save the duplicate Identifier values. To be sure about it, please check the identifier field of every relying party trust.
Do we need to be connecting into the Enterprise network domain to register in the on premise Ad and in AAD?
Yes, you need to be connected to local AD domain.
your videos very helpful and structured well. Thank you so much!
I have probably stupid question.... probably not related to this.
Does Hybrid Azure AD Join device has ability to login to windows outside of corporate network?
In my case I setup Hybrid AD Joined device and windows hello for business key based trust model. Inside corp network all work absolutely amazed but if i change network to internet then I have error that i cannot login.
It must work outside the organization as well, windows hello for bussiness key is device specific.
@@ConceptsWork thanks for answer.
So, lets skip part about WHFB and imagine computer hybrid azure joined.
Let's also imagine that I have group policy to remove "Logon Cache" (Interactive logon: Number of previous logons to cache (in case domain controller is not available) = 0).
Would I able to logon to my computer outside organization?
Thanks for the great videos. Please i have something i hope you can help me with. I want users to be able to authenticate against the azure AD to login to windows 10 device which is hybrid azure AD join instead of on-prem DC.
I want to achieve this so that remote users can still authenticate when the device is on another network.
Please Can i used ADFS to achieve this?
If the machine is hybrid Azure AD joined, Active directory will always take precedence as per the current behavior.
Hello,
Where I can find the cliams rules ?
Please check this document - docs.microsoft.com/bs-latn-ba/azure/active-directory/devices/hybrid-azuread-join-manual
Thank you for this useful video.
I am having issue understanding one concept and I am wondering if you could help me out.
After joining my device to azure ad in hybrid mode, I intially had issues getting the EnterprisePrt token. After some changes to the Azure AD Connect setup ADFS environment that included initialising device registration using the Initialize-ADDeviceRegistration command, enabling device writeback via AD Connect and enabling device registration with Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true, I managed to get a token. I had to follow the stops from docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg which confused me enough already as I wasn't enabling WH4B and considering I had AD FS setup automatically, I expected no additional configuration needed after running the enable hybrid domain join in the AD Connect Tool)
Unfortunately, the PRT token doesn't seem to work for AD FS when connecting externally from my joined laptop and using the Edge (Chromium) browser. Using IE and legacy Edge, I am able to pass through AD FS authentication just fine. I am using the AD FS Xray tool as a relying trust party for AD FS. My question is, what is the role of the EnterprisePrt token? I'm unable to find any documentation on it that would be applicable to the AD FS and Hybrid Azure Join scenario. I simply expected that with the hybrid join, I could take my device outside the network and enjoy seamless Azure AD logon (which works in both IE and legacy/chromium Edge) and seamless AD FS logon (which doesn't work with the Chromium edge but works in IE and I can see the PRT password claim).
Thanks
Enteprise PRT is not required for Azure AD SSO.
Enterprise PRT is show when you are using ADFS device registration.
What you have to check is, if the machine is hybrid azure AD join Azure AD PRT is showing as yes or not.
If you are not getting Azure AD prt, then only you will experience SSO issues.
@@ConceptsWork thanks. Turns out the root cause is that Edge (Chromium) doesn't support Enterprise PRT yet. This explains why Azure PRT worked fine.
In my case, both enterprise prt and azure ad prt are set to yes. Unfortunately, due to Edge's lack of support of the Enterprise PRT I did a bit of a workaround and federated ADFS back to Azure AD as an IDP and with come claims magic, I was able to get ADFS SSO with Azure AD as IDP which means SSO even when the enterprise PRT isn't working. This means my ADFS federated apps can now authenticate seamlessly even on my phone which is a registered device or on my PC with Chrome when the Office addon is installed as that adds Azure PRT support :)
Thanks