Hybrid Azure AD join – controlled roll-out

Hybrid Azure AD join as the name indicates is a feature that allows you to use your on-premises AD and Azure AD at the same time. Basically, the devices are joined to on-prem AD and registered in Azure AD. Enabling that option might be needed e.g. for using co-management, Autopilot, etc.

By default, the Hybrid Azure AD join is supported by Windows 10, 11, and Windows Server 2016, 2019. Older versions (Windows down-level devices) can also work in hybrid, but with some limitations.

The implementation of Hybrid Azure AD join is fairly easy and might be done by using Azure AD Connect where you have to define SCP (service connection point). This setting will be propagated to all machines in your on-prem environment and will not allow you to decide which device can be hybrid and which not.

But this is not the only way. The SCP configuration might be added directly to the registry on specific machines, so you can easily create a GPO which will propagate these settings on devices that you want to.

Note:

The below method will work if standard prerequisites will be met, so Azure AD Connect, firewall rules, and specific computer objects OU synced with Azure AD are needed.

Clear the SCP from AD (if needed)

  1. Launch the ADSI Edit as an Enterprise Administrator.
  2. Connect to the Configuration Naming Context of your domain.
  3. Browse to CN=Configuration,DC=domain,DC=com => CN=Services => CN=Device Registration Configuration.
  4. Right-click on the leaf object CN=62a0ff2e-97b9-4513-943f-0d221bd30080 and select Properties.
  5. Select keywords from the Attribute Editor window and select Edit.
  6. Select the values of azureADId and azureADName (one at a time) and select Remove.
  7. Close ADSI Edit.

Configure client-side registry setting for SCP

  1. Open a Group Policy Management console and create a new Group Policy Object in your domain.
  2. Edit the GPO and go to: Computer Configuration => Preferences => Windows Settings => Registry.
  3. Right-click on the Registry and select New => Registry Item.
    • On the General tab, configure the following:
    • Action: Update.
    • Hive: HKEY_LOCAL_MACHINE.
    • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD.
    • Value name: TenantId.
    • Value type: REG_SZ.
    • Value data: The GUID or Tenant ID of your Azure AD instance (you can find the value in Azure portal => Azure Active Directory => Properties => Tenant ID).
    • Select OK.
  4. Right-click on the Registry and select New => Registry Item.
    • On the General tab, configure the following.
    • Action: Update.
    • Hive: HKEY_LOCAL_MACHINE.
    • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD.
    • Value name: TenantName.
    • Value type: REG_SZ.
    • Value data: Your verified domain name or your onmicrosoft.com domain name.
    • Select OK.
  5. Close the editor.
  6. Link the newly created GPO to the correct OU containing domain-joined computers that belong to your controlled rollout population.

Final registry entry:

What happens next?

If you go to Task Scheduler => Task Scheduler Library => Microsoft => Windows => Workplace Join, you can find “Automatic-Device-Join” task

which tries to join Azure AD and of course tries to find the tenant ID and tenant name by searching SCP in Active Directory and the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD.

When you switch the tab to Actions, then you can see which process is triggered: dsregcmd

Troubleshooting by using the dsregcmd command

According to Microsoft documentation, the dsregcmd might be used for troubleshooting, but it also can manually join/unjoin the device.

/status – will show if a device is already Hybrid Azure AD Joined (AzureADJoined – NO/YES)

/join – will manually join the computer to Azure AD (should be run in SYSTEM context)

/leave – will unjoin the computer from Azure AD

Event Viewer

The specific log, in the Event Viewer, might provide you with a lot of details if troubleshooting is needed. Go to Event Viewer => Applications and Services Logs => Microsoft => Windows => User Device Registration => Admin

  • 100 – Discovery Request Sent – network issues, check firewall rules
  • 101 – Discovery Operation was Successful – firewall rules configured corretly
  • 102 – Initialization of join request was successful
  • 105 – Complete Join Response was successful
  • 106 – Post Join Tasks for the AAD Authentication Package completed successfully
  • 111 – Registration status has been successfully flushed to disk
  • 201 – Discovery Operation Failed. Error code: 0x80072ee2 – network issues, check firewall rules
  • 212 – Error happened while accessing registry – check if the registry entry exists
  • 223 – WINHTTP_STATUS_CALLBACK_REQUEST_ERROR – Error Code 0x80072ee2 – network issues, check firewall rules
  • 304 – Automatic registration failed at join phase. Error code: 0x801c001d – standard ID event without hybrid join configuration
  • 304 – Automatic registration failed at join phase. Error code: 0x801c0021 – network issues, check firewall rules
  • 304 – Automatic registration failed at join phase. Error code: 0x801c03f2 – device is not synced with Azure AD, check synced OU
  • 306 – Automatic Registration succeeded – run dsregcmd /status to confirm AzureADJoined or check it on Azure portal
  • 307 – Automatic registration failed at join phase. Error code: 0x801c001d – standard ID event without hybrid join configuration
  • 309 – Failed to discover Azure DRS Service. Error code: 0x801c0021 – network issues, check firewall rules

Written by: Artur Kukuła

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top