IT Connect
Your connection to information technology at the UW

Hybrid Azure AD Join with Delegated OU

Azure AD hybrid join was generally enabled for Windows 10 devices and Windows Server 2016 or better in the NETID domain on June 25, 2020, via a change to settings in our Azure AD Connect.

A computer in the NETID AD can end up in a hybrid joined state one of two ways:

  • If your computer is among the eligible Windows platforms, it is joined to your delegated OU, and you don’t block AAD registration (i.e. it happens automatically)
  • The computer was built via UW Autopilot, in which case it is hybrid joined and might be in your delegated OU (or the general Autopilot OU)

A device is said to be hybrid joined if it has both an AD object and an Azure AD (AAD) object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the AAD user.

A hybrid joined computer is joined to both AD and AAD, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined.

Please reference our cloud-based device management glossary for terms you are unfamiliar with.

Microsoft supplies a detailed process diagram for hybrid join in a federated environment which may help you understand how it works.

How do I disable Hybrid Join for my Delegated OU computers?

Only Windows 10 or Windows Server 2016 or later devices can hybrid join, due to the UW’s Azure AD Connect configuration.

Microsoft does not provide good guidance on this question, providing an answer about a registry value at https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan which testing demonstrates does not work.

You can disable hybrid join by preventing one of the requirement elements from triggering hybrid join registration:

  1. Modify the Scheduled Task which triggers AAD device registration. See Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join. See the following 3 items for details:
    1. Deleting the Scheduled Task seems to work reliably.
    2. Disabling the Scheduled Task does not work reliably; the disabled task will still run after a user signs in.
    3. Modify both triggers from an Enabled status to a Disabled status; this works reliably.
  2. Add a firewall block for https://enterpriseregistration.windows.net, to prevent the computer from connecting to the Azure AD Device Registration Service (AAD DRS). See the following item for possible side-effects:
    1. This should only affect the ability to AAD join. If you have Office installed on the Windows device, this might have an undesirable impact on AAD device registration (different from AAD device join) which is required per user for Microsoft 365 Apps (was Office 365 ProPlus) sign-in.
  3. Add a firewall block for the UW ADFS server, sts.netid.washington.edu, to prevent the computer from getting an ADFS token to authenticate to the AAD DRS. See the following item for possible side-effects:
    1. Note: this option will only work for as long as we continue to have federated authentication for AAD, which is planned to be removed. This option may be undesirable if there is any interaction with Azure AD applications like Office 365 from the device–those interactions would be blocked.

How do I unjoin a hybrid Azure AD device?

For hybrid Azure AD joined devices, make sure to turn off automatic registration (see ‘how to disable’ section). Then the scheduled task (see ‘AAD device registration’ section) doesn’t register the device again. Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave. Or run this command as a script across several devices to unjoin in bulk.

This answer comes from https://docs.microsoft.com/en-us/azure/active-directory/devices/faq.

Azure AD device registration

When enabled for hybrid join, the trigger for AAD device registration is a default scheduled task with several triggers:

  • user sign in
  • an event with a special event id is recorded — it is unclear what causes this event

Note: the scheduled task comes installed with Windows 10; you do not need to add it, but you can trigger it manually yourself. See the links in the troubleshooting section for more info on this.

Note: An additional user sign in may be required to get an Azure AD primary refresh token (PRT)

Line of Sight Connectivity to NETID AD

If your computer is off the UW network, you’ll need to get it connected via a VPN prior to user sign-in to trigger AAD device registration. Please read our document about that.

Verify and Troubleshoot Hybrid Join

Please consult https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current for how to verify and troubleshoot hybrid join.

Other pages which may be useful are:

Benefits of Hybrid Join

The known benefits are:

Last reviewed July 22, 2020