Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment

When you planning (of course you are!) to bring the local AD joined Windows workstations to Microsoft Endpoint Manager/ Intune, one of the first things you need to complete is a Pilot/ controlled deployment to understand the end result, Hybrid AAD Joined state’s features and what options will be opened for you to test and most importantly, to understand what it will break.
However, in an environment where you have a lot of Windows workstations, it’s always vital to run a pilot to understand the constraints.

Azure AD Sync Connect


At this stage, you should have the Azure AD Sync Connect tool installed and working, you will have one of below configs for the selects OUs in the tool.

Sync All Domains and OUs

All OUs selected (most probably you have executed the “Express setup” while installing the AD Connect tool) This will capture Workstations OU as well

Sync Selected Domains and OUs (Filtered OUs)

You may have a scoped OU setup where you are syncing only the selected OUs, but not all OUs


Few things first. Let’s check the “Hybrid AAD Join” feature in the Azure AD Sync Connect tool

Note: Make sure you have an updated version of the AAD Sync tool

Open the AAD Sync tool > And Select Configure Device Options and hit Next

You will see the options for Devices and what we are looking here is Hybrid Azure AD Join. Hit Next and enter your Azure AD credentials which has access to setup the AAD Sync tool

I’m not going to go through all the steps now as I will show case this later.

Also, what will happen when you run this?

When you run this, a SCP (Service Connection Point) will be added to the domain environment.

The SCP consists of the Azure AD Tenant ID and the tenant name (domain.onmicrosoft.com)

You can check this from ADSI – Please note accessing ADSI needs to be done with utmost care as changing, deleting items in it can cause irreversible issues in your AD environment.

Ok that being said, lets check the location.

Open ADSI > Actions > Connect to > Configuration

Now under the Configuration node > go to CN=Device Registration Configuration > CN=62a0ff2e-97b9-4513-943f-02d221bd30080 > right-click and select Properties

Go to Keywords and look for the Tenant ID and the tenant name details. If you can see the info, that means you have probably executed the Azure AD Connect Sync tool’s Device options.


Now lets see each of the above scenarios

If “Sync All Domains and OUs” selected

This has basically setup to sync all existing OUs and any newly created OUs regardless. Not the best option according to my understanding as this will sync all your AD objects to cloud and you may need some accounts not to be synced for security purposes.

The issue with this method is, to run a controlled rollout of Hybrid AAD Joined workstations, you can’t edit the “Hybrid AAD Join” option in the Azure AD Sync Connect which will add a SCP on to the root level of the Directory, which will then add to all the Workstations and because you already have all the workstations in the Sync scope, they will discover the SCP and will be joined as Hybrid AAD Joined devices which will basically kills the pilot and probably will run into issues.

So what should you do? Create Client-Side registry via gpos

At this stage, the rollout can be controlled via a new OU and a GPO that has the SCP details.

  1. Create the OU (eg: Hybrid-AAD-Joined-Workstations)
  2. Go to GPMC.msc and create a new GPO and link to the above OU
  3. GPO should go as below.
  4. Computer Configuration > Preferences > Windows Settings > Registry
  5. Right-click and New > Registry Item
  6. On the General tab, do below
    1. Actions Update
    2. Hive KEY_LOCAL_MACHINE
    3. Key path SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
    4. Value name TenantId
    5. Value type: REG_SZ
    6. Value data: TenantID of the Azure AD tenant and select OK
      Get the Tenant ID: Azure portal > Azure Active Directory > Properties > Tenant ID
  7. We need the 2nd Registry item for the domain name
    1. New > Registry Item
    2. On the General tab, do below
    3. Actions Update
    4. Hive KEY_LOCAL_MACHINE
    5. Key path SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
    6. Value name TenantName
    7. Value type: REG_SZ
    8. Type the name of your tenant (eg: domain.onmicrosoft.com) and press OK
  8. We are done with the GPO now. Close GPMC and let it replicate

Now when you start adding your Pilot workstations in to this OU and let the workstation aquire the newly created GPO and in the next Azure AD Connect Sync cycle, the workstation will be synced with Azure AD and will be joined as a Hybrid Azure AD Joined device


If “Sync Selected Domains and OUs” selected

If this is the case, at this stage you probably have the selected only the user OUs in the sync scope that is filtered and syncing with Azure AD, which is the best practice. So ideally you need to add your workstations to the sync scope (Pilot workstations OU) and let them discover the SCP and join as Hybrid AAD devices.

Change your sync scope and add the pilot workstations Ou

  1. Create the OU (eg: Hybrid-AAD-Joined-Workstations)
  2. Go to the server where you have AAD Connect has installed and find miis.exe by pressing the windows Key. This will open the Sync Engine
    1. To open the miis.exe you must be a member of the local admin group called the ADSyncAdmins. Add your username in to that and logoff and login back to the server.
  3. Now, open the miis.exe and go to the Connectors tab and select your domain (not the one with onmicrosoft.com)
  4. Select your domain and select Properties from the right hand pane
  1.  Select Configure Directory Partitions
  2. When prompted for credentials, enter any credentials with read access to your on-premises Active Directory
  3. Go to Select Containers option and select the OU which you created in step 1 and press OK
  1. Now close the Miis console and open PowerShell
  2. Run start-adsyncsynccycle -policytype initial and press enter
  3. This will run a full Azure AD Sync and will sync the newly created OU details with Azure AD

Let’s Set the hybrid Azure AD join mode in the AAD COnnect tool

Open the AAD Sync tool > And Select Configure Device Options and hit Next

Press Next when you see the explanations for the options you will get in this exercise

Then enter your Azure AD admin credentials to connect and press Next

Select Configure Hybrid Azure AD Join option and press Next

If you have multiple domains, select the domain and enter the Enterprise Administrator credentials of your domain and press Next

Select the operating system, Windows 10 or later domain-joined devices and press Next

On the next page, press Configure

Once the setup is done, you can exit on the next screen and at this stage, the SCP details have entered to the local AD environment

Add your workstations to the OU and run start-adsyncsynccycle -policytype delta
And now, you will see the devices from your previously created OU will appear in the Devices section of the Azure AD with the join mode Hybrid Azure AD Joined.


Final Words

The end goal should be testing the Hybrid Azure AD Joined option with few devices and identifying how Azure AD Connect tool has been setup is essential. Hope this article gave that insight of the two methods you can follow depending on your scenario.

Feature Image: Chain Vectors by Vecteezy

2 thoughts on “Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.