Approximately two (2) years ago I wrote a blog post “Azure AD – Automatic DRS for Windows Domain joined devices”. At that time, world of cloud was a slightly different and pace of evolution has been staggering since then.

Nowadays, enabling Hybrid Domain Join (HDJ) is much easier process than two years ago. Now, you can execute all necessary tasks via Azure AD Connect instead of running multiple PowerShell commands and scripts (even I like it more). Of course the manual option is still available.

Benefit for registering devices to Azure AD is that you can use device identity in authentication process, (with Conditional Access policies).


As said, can be done via AAD Connect (AADC). First, open AADC and select configure device options

Information screen opens which shows the options for device configuration

Authenticate to Azure AD with Global Admin permissions

Select the options you want to configure, these are:

  • Hybrid Azure AD join – on-prem devices are registered automatically to Azure AD
  • Device writeback – devices are written from Azure AD to on-prem Active Directory
  • Disable device writeback – disables writeback operation

Configure Service Connection Point (SCP)

  • Select correct forest
  • Select authentication service (AAD)
  • Enter Enterprise Admin credentials – these are needed because SCP is created to on-prem AD configuration container

Select used Operating Systems


Open adsiedit.msc from machine which has Windows Server administrative tools installed and verify that “Device Registration” has been created to configuration container.

Keywords attribute should contain Azure AD name and ID.

That’s it. Pre-requirements done and you can continue to necessary Operating System configuration. If you have down-level devices in your environment check this link.


Configure hybrid Azure Active Directory join for managed domains

Configure hybrid Azure Active Directory join for federated domains

Configure hybrid Azure Active Directory joined devices manually