In this post I will show you the steps to troubleshoot Hybrid Azure AD Join issues. Before troubleshooting Hybrid Azure AD issues, we need to understand the basic configuration we require. Once we verify the settings are ok, we can further go and troubleshoot the issues.
If you are sure about Hybrid Azure AD-join configuration are ok, then you can directly skip to “Steps to perform for Hybrid Azure AD-join issues”
What do we mean by Hybrid Azure-AD joined devices
In a layman language if I have to explain, this is the equation:
Hybrid Azure AD = Domain Joined + Azure AD Joined
Hybrid Azure-AD join is a state when:
- Device is domain joined with your on-premises infrastructure
- Device has joined Azure Active Directory
Hybrid Azure AD join devices require line of sight to on-premises domain controllers periodically for a seamless connection.
The need of Hybrid Azure AD join comes for organizations when they are not fully ready to move from on-premises infrastructure to cloud infra. We can say Hybrid Azure AD join is an interim solution covering the gap, not only interim you may use it permanently if your organization is never planning to get rid of on-premises infrastructure which includes Active directory / domain controllers.
Hybrid Azure AD Join is also one of the pre-requisites for Intune Enrollment process (for on-premises infra)
Verify Hybrid Azure AD configuration
Azure AD connect is the component responsible for syncing the device to Azure. We need to verify if device is part of correct Container or OU for sync to happen. This setting can be seen under Azure AD Connect > Domain and OU filtering
Check Hybrid Azure AD Join configuration
Login to the Server where you have installed Azure AD Connect.
Click on Configure.
On Additional tasks page, click on Customize synchronization options
Provide the credentials under Connect to Azure AD page.
Once done, click on Next to go to Sync > Domain/OU Filtering settings.
If the option is selected as “Sync all domains and OUs”, then nothing is required.
But if it is “Sync selected domains and OUs” , verify the options selected and verify if device is part of that Container / OU which is responsible for synching the device.
Verify Device registration settings / Azure AD Register setting
When we say device to Azure AD Join, we are simply talking about getting device registered with Azure. This setting doesn’t come automatically even if we have configured Azure AD Connect.
This setting is part of local policy. Either we can deploy Group policy or can be deployed using Configuration manager client settings.
Either way, the following registry key “autoWorkplaceJoin” with value 1. The location of registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
autoWorkplaceJoin with REG_DWORD as 1.
Group policy for device registration
If this policy is set through GPO, following will be the location under Group Policy Management Editor:
Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Device Registration \ Register domain joined computers as device.
SCCM Clients settings for Device registration
Following setting can be found under Configuration manager Client Settings.
Navigate to Cloud Services, and verify Automatically register new Windows 10 or later domain joined devices with Azure Active Directory as “Yes”
Either of the policies GPO or SCCM client settings for device registration will fulfill the requirement.
Steps to perform for Hybrid Azure Join issues
Check Hybrid Azure AD Join Status
Easiest way to verify the hybrid Azure AD join status is to run the following command:
dsregcmd /status
Under Device State, verify AzureAdJoined must show Yes. Obviously, you will be able to see DomainJoined as Yes if it is domain joined already.
The above mentioned command provides a rich information on Device state, Device Details and Tenant Details and others.
Verify Workplace Join Task Scheduler status
Hybrid Azure AD join happens because of Task Scheduler entry with the name Automatic-Device-Join. You can find this info by launch Task Scheduler and navigate to Task Scheduler Library\Microsoft\Windows\Workplace Join
The task Automatic-Device-Join run with 2 conditions:
- At user log on
- Retries every 1 hour
Check the Status of Task Scheduler entry with name Automatic-Device-Join.
The successful completion of Device registration (using Task Scheduler entry) will be shown under Event Viewer.
Navigate to Applications and Services Logs\Microsoft\Windows\User Device Registration\Admin
You will see 4096 event ID generated for device registration with following message:
The automatic device registration task will be triggered.
If Device registration is successful, you will see the message with Event ID 105 as:
The complete join response operation was successful.
Verify usercertificate attribute for device
Once the Task Scheduler kicks in Automatic-Device-Join, it creates a self-signed certificate and the value is stored under userCertificate attribute of computer object in Active Directory.
Azure DRS uses this UserCertificate attribute to create a device object in Azure AD.
Check for userCertificate attribute in AD
This can be checked either through Active Directory Users and Computers or ADSI Edit.
Open Active Directory Users and Computers, go to view and click on Advanced Features to enable Attributes tab.
Search for the device and go to the properties. Click on Attribute Editor, scroll down and you can see userCertificate showing some value.
If this value is missing, device registration will be incomplete.
Hybrid Azure AD join device showing status as Pending
There could be certain reasons for showing Hybrid Azure AD join devices showing as pending. The meaning of pending status means device registration is still not completed.
You will be seeing this status when logging on to Azure Portal and navigate to Azure active Directory > All Devices.
The Registered status will show “Pending” with very limited info in other columns.
If this device gets stuck at pending status for much longer time, then this seems the Device registration process initiated but didn’t go through. This could be the status for a successful device for couple of minutes before fully getting registered with date and time stamp.
Device registration will happen once userCertificate for device is generated which is required to obtain a primary refresh token (SSO) for authentication.
Following needs to be verified
- Microsoft endpoints / URL’s are whitelisted which are required for device registration. Proxy settings might be blocking it
- Domain controller is reachable.
- userCertificate attribute for device is generated.
- If Proxy is set in your environment, it is recommended to implement Web Proxy Auto-Discovery (WPAD). If not using WPAD, you can configure proxy settings by deploying WinHTTP Proxy setting either using SCCM package or Group Policy. The command line to set winhttp proxy is: netsh winhttp set proxy “ProxyName:<PortNo>”
- Device has not been moved recently from OU which is set for sync to another OU.
Important Links
Troubleshoot hybrid Azure Active Directory-joined devices – Microsoft Entra | Microsoft Docs
How Azure AD device registration works – Microsoft Entra | Microsoft Docs
Pending devices in Azure Active Directory – Active Directory | Microsoft Docs
Discover more from SCCM | Intune | Azure | Enterprise Mobility & Security
Subscribe to get the latest posts to your email.
