IT Connect
Your connection to information technology at the UW

Hybrid Azure AD Join with Delegated OU

Azure AD hybrid join was generally enabled for Windows 10 devices and Windows Server 2016 or better in the NETID domain on June 25, 2020, via a change to settings in our Azure AD Connect.

A computer in the NETID AD can end up in a hybrid joined state one of two ways:

  • If your computer is among the eligible Windows platforms, it is joined to your delegated OU, and you don’t block AAD registration (i.e. it happens automatically)
  • The computer was built via UW Autopilot, in which case it is hybrid joined and might be in your delegated OU (or the general Autopilot OU)

A device is said to be hybrid joined if it has both an AD object and an Azure AD (AAD) object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the AAD user.

A hybrid joined computer is joined to both AD and AAD, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined.

Please reference our cloud-based device management glossary for terms you are unfamiliar with.

How do I disable Hybrid Join for my Delegated OU computers?

Only Windows 10 (or Windows Server 2016) or later devices can hybrid join, due to the UW’s Azure AD Connect configuration.

You can prevent your domain joined device from being Azure AD registered by turning off automatic registration. To do so, add the following registry value to HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001.

This registry value must be in place prior to the trigger for AAD device registration (see section on that topic).

This answer comes from https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan.

How do I unjoin a hybrid Azure AD device?

For hybrid Azure AD joined devices, make sure to turn off automatic registration (see ‘how to disable’ section). Then the scheduled task (see ‘AAD device registration’ section) doesn’t register the device again. Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave. Or run this command as a script across several devices to unjoin in bulk.

This answer comes from https://docs.microsoft.com/en-us/azure/active-directory/devices/faq.

Azure AD device registration

When enabled for hybrid join, the trigger for AAD device registration is a default scheduled task with several triggers:

  • user sign in
  • an event with a special event id is recorded — it is unclear what causes this event

Note: the scheduled task comes installed with Windows 10; you do not need to add it, but you can trigger it manually yourself. See the links in the troubleshooting section for more info on this.

Note: An additional user sign in may be required to get an Azure AD primary refresh token (PRT)

Line of Sight Connectivity to NETID AD

If your computer is off the UW network, you’ll need to get it connected via a VPN prior to user sign-in to trigger AAD device registration. Please read our document about that.

Verify and Troubleshoot Hybrid Join

Please consult https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current for how to verify and troubleshoot hybrid join.

Other pages which may be useful are:

Benefits of Hybrid Join

The known benefits are:

Last reviewed July 22, 2020