Device writeback is at preview mode currently and I have couple of customers who are eagerly waiting this feature. I have been trying to get it working last couple of days in my lab environment and today finally reach the goal.
The device writeback feature will allow you take a device registered in the cloud, for example in Intune, and have it in AD DS for conditional access. To enable the feature, AD DS must be prepared. If you install AD FS and the device registration service (DRS), DRS provides PowerShell cmdlets to prepare AD for device writeback. If you do not have DRS installed, then you can run C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncAdPrep.psm1 as an enterprise admin.
Pre-requirements for Azure Active Directory
To allow devices to be registered to AAD you need to enable “Device Registration” underneath configuration->devices of your AAD tenant.
User may join devices to Azure AD – All (you can also assign this to selected group of users)
Additional Administrators on Azure AD Joined Devices and Users May Reg… – Are at default level below
Number of devices per user – default is 20, I reduced this to 5
After this my “demo account” and couple of other joined their devices to AAD with Azure Join feature or Workplace Join feature. Demo account is login only to AAD instead of on-prem which is quite cool:)
Steps to got this working were:
1. Install AAD Connect (do not use express mode) with service account which should be used to run AD Sync service – STOP when you are at Express Page
Prepare on-prem AD for device write-back
2. Import-Module C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncAdPrep.psm1
- $cred = Get-Credential (enter the account that you chose for your service account in Step 1b)
3. Initialize-ADSyncDeviceWriteBack -AdConnectorAccount $cred -DomainName (domain where devices will be created
5. Configure AAD Connect with wizard to allow “Device Write-Back”
6. If you are using OU based scoping confirm that “Registered Devices” container is selected at sync scoping
7. At AAD Connect configuration open on-prem connector and confirm that AD “object types” contains device object
After configurations Voila! Devices were written back from AAD to onprem AD
Path to get devices back to on-prem AD was quite bumpy and had following errors when trying to get devices written to Active Directory. The breakthrough was steps 6 & 7.