Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (2024)

Last Updated on 26. April 2024

Microsoft Entra Hybrid Join is an identity solution that allows devices to authenticate in both a Windows Server Active Directory domain and Microsoft Entra ID. This provides companies with the flexibility and security they need to effectively manage resources while ensuring a high level of security.

Microsoft Entra ID is built with global high availability. In conjunction with features such as seamless single sign-on (SSO) or Microsoft Entra Conditional Access, Microsoft Entra ID offers additional features that significantly increase security and can only be implemented at a high cost with a pure Windows Server Active Directory infrastructure.

With Microsoft Entra Hybrid Join, you get the best of both worlds (local and cloud) at the same time. The device has access to both Windows Server Active Directory and Microsoft Entra ID.

This blog article shows in detail the steps for configuring Microsoft Entra Hybrid Join.

Table of contents hide

1Prerequisites and Licensing

1.1Licenses

1.2Devices

1.3Software

2Windows Server Active Directory

2.1Microsoft Entra Connect

2.1.1Device options

2.1.2Synchronization options

2.2Windows Server Active Directory Permissions

2.3Automatically register domain computers

3Microsoft Entra ID

3.1Microsoft Intune

3.2MDM-URLs

3.3Microsoft Intune Connector for Active Directory

3.4Microsoft Intune Configuration Profile

4Functional check

5Troubleshooting

Prerequisites and Licensing

Licenses

Microsoft Entra Hybrid Join does not require a paid license. A license from Microsoft Entra ID Free is sufficient. This license is part of every Microsoft Tenant.

Devices

The following requirements apply to the devices:

  • Windows 10 Pro or Enterprise
  • Windows 11 Pro or Enterprise

The devices have access to the following URLs:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com

Software

To synchronize the organizational units with the device objects in Windows Server Active Directory, Microsoft Entra Connect or Microsoft Entra Cloud Sync is used.

Windows Server Active Directory

The following steps prepares Windows Server Active Directory to use with Microsoft Entra Hybrid Join.

Microsoft Entra Connect

Device options

Microsoft Entra Hybrid Join requires the following configuration in the device options area in Microsoft Entra Connect.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (1)

Select Device Options

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (2)

Select Next

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (3)

Establish a connection to Microsoft Entra ID through a global Administrator.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (4)

Select Configure Hybrid Azure AD Join (Microsoft Entra Hybrid Join).

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (5)

Select Windows 10 or later domain-joined devices

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (6)

The user to be specified here for the SCP (Service Connection Point) configuration must be a member of the Enterprise Administrators group. These permissions can be revoked after successful SCP configuration.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (7)

Configuration is ready, click Configure.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (8)

Microsoft Entra Connect is now prepared for Microsoft Entra Hybrid Join.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (9)

Synchronization options

All Active Directory organizational units with devices that are configured with Microsoft Entra Hybrid Join must be synchronized with Microsoft Entra Connect.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (10)

Select Configure device options

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (11)

Establish a connection to Microsoft Entra ID through a global Administrator.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (12)

Connect to Active Directory.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (13)

Select all Active Directory organizational units that contain devices for Microsoft Entra Hybrid Join.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (14)

Select Next

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (15)

Select Next

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (16)

Configuration is ready, click Configure.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (17)

The configuration has been successfully completed.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (18)

Windows Server Active Directory Permissions

Microsoft Intune Connector requires access to all Windows Server Active Directory organizational units that contain devices for Microsoft Entra Hybrid Join. The following steps configure the access.

Right-click on the organizational unit and click Delegate Control.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (19)

Start the wizard with Next.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (20)

Add all servers where Microsoft Intune Connector is running.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (21)

Further configuration requires a custom task. Select Create a custom task to delegate.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (22)

Create the custom task on Computer Objects (1) with the permissions to Create (2) and Delete (3).

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (23)

Select Full control

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (24)

The configuration has been successfully completed.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (25)

Automatically register domain computers

Computers integrated into the Active Directory domain are automatically registered in the background with Microsoft Entra ID via the group policy.

Enable the Group PolicyRegister domain joined computers as devicesinComputer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (26)
Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (27)

Microsoft Entra ID

Microsoft Intune

MDM-URLs

For the deployment of devices with Microsoft Intune and Autopilot, the MDM URLs must be activated in the Microsoft Intune admin center (https://intune.microsoft.com).

Devices > Enroll devices > Windows enrollment > Automatic Enrollment

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (28)

Enable MDM User Scope either for all or specific user groups.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (29)

Microsoft Intune Connector for Active Directory

On a Windows Server with access to the Windows Server Active Directory, the Microsoft Intune Connector is required. Download the Microsoft Intune Connector from the Microsoft Intune admin center (https://intune.microsoft.com).

Devices > Enroll devices > Intune Connector for Active Directory

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (30)

Select Add (1) and Download the on-premise Intune Connector for Active Directory (2).

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (31)

Copy the downloaded file ODJConnectorBootstrapper.exe to the server and start the installation.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (32)
Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (33)

After successful installation, select Configure Now.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (34)

Sign in to Microsoft Intune with a licensed Global Administrator or Intune Administrator. The global administrator role can be removed from the user after successful login if required.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (35)
Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (36)

The configuration is successfully completed after a short time.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (37)

The connection has been successfully established.

Devices > Enroll devices > Intune Connector for Active Directory

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (38)

Microsoft Intune Configuration Profile

Joining the Active Directory domain is done via a Microsoft Intune Configuration Profile.

Microsoft Intune admin center (https://intune.microsoft.com)
Devices > Configuration profiles > Create > New Policy

  1. Platform: Windows 10 and later
  2. Profile typ: Templates
  3. Template name: Domain join
Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (39)

Enter Name, e.g. Domain Join

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (40)

Fill out:

  1. Prefix for the computer names, e.g. ccl-
  2. Specify domain name, e.g. int.cloudcoffee.ch
  3. Specify organizational unit, e.g. OU=Computer,OU=CCL,DC=int,DC=cloudcoffee,DC=ch”
Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (41)

Assign profile to the devices.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (42)

“Check configuration and create with Create.

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (43)

Functional check

Windows 10 and Windows 11 register themselves in Azure Active Directory. After about 10 minutes it can be checked.

PowerShell

1

dsregcmd /status

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (44)

or open Microsoft Entra ID > Devices > All devices in the Azure Portal (https://portal.azure.com)

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (45)

Troubleshooting

If the device does not appear in Microsoft Entra ID as Microsoft Entra Hybrid Joined even after rebooting and waiting for 10 minutes, the following may help:

Folge mir auf LinkedIn und BlueSky, um stets über meine neuesten Beiträge auf dem Laufenden zu bleiben.

War dieser Beitrag hilfreich für dich? Zeige deine Begeisterung mit dem herrlichen Aroma eines frisch gebrühten Kaffees für mich!

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (46)

Microsoft Entra Hybrid Join: The Configuration Guide for Administrators - cloudcoffee.ch (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Carmelo Roob

Last Updated:

Views: 5768

Rating: 4.4 / 5 (65 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Carmelo Roob

Birthday: 1995-01-09

Address: Apt. 915 481 Sipes Cliff, New Gonzalobury, CO 80176

Phone: +6773780339780

Job: Sales Executive

Hobby: Gaming, Jogging, Rugby, Video gaming, Handball, Ice skating, Web surfing

Introduction: My name is Carmelo Roob, I am a modern, handsome, delightful, comfortable, attractive, vast, good person who loves writing and wants to share my knowledge and understanding with you.