Approximately two (2) years ago I wrote a blog post “Azure AD – Automatic DRS for Windows Domain joined devices”. At that time, world of cloud was a slightly different and pace of evolution has been staggering since then.
Nowadays, enabling Hybrid Domain Join (HDJ) is much easier process than two years ago. Now, you can execute all necessary tasks via Azure AD Connect instead of running multiple PowerShell commands and scripts (even I like it more). Of course the manual option is still available.
Benefit for registering devices to Azure AD is that you can use device identity in authentication process, (with Conditional Access policies).
Configuration
As said, can be done via AAD Connect (AADC). First, open AADC and select configure device options
Information screen opens which shows the options for device configuration
Authenticate to Azure AD with Global Admin permissions
Select the options you want to configure, these are:
- Hybrid Azure AD join – on-prem devices are registered automatically to Azure AD
- Device writeback – devices are written from Azure AD to on-prem Active Directory
- Disable device writeback – disables writeback operation
Configure Service Connection Point (SCP)
- Select correct forest
- Select authentication service (AAD)
- Enter Enterprise Admin credentials – these are needed because SCP is created to on-prem AD configuration container
Select used Operating Systems
Verification
Open adsiedit.msc from machine which has Windows Server administrative tools installed and verify that “Device Registration” has been created to configuration container.
Keywords attribute should contain Azure AD name and ID.
That’s it. Pre-requirements done and you can continue to necessary Operating System configuration. If you have down-level devices in your environment check this link.
References
Configure hybrid Azure Active Directory join for managed domains
Configure hybrid Azure Active Directory join for federated domains
Configure hybrid Azure Active Directory joined devices manually
Sam's Corner 
We did a small project and received a question from customer: What are roll back steps in ADconnect? I mean how to disable Hybrid Azure AD join from AD Connect perspective? Or any oher steps are required?
It’s an opportunistic feature, it doesn’t break anything even it would not work properly. It has some relations to your environment configuration so it’s hard to say exact steps needed in your scenario. In general, I don’t see many reasons why you should disable HDJ after taking into use. When it’s in use end-users benefit a lot from HDJ together with Seamless SSO even more (read more below).
But, if your customer wants to disable the HDJ feature you need to run the AAD Connect configuration wizard again, unconfigure everything and verify after the configuration has been finished that it has removed settings correctly, SCP among other things depending on your identity type (managed, federated). And last but not least, clients might need changes (depends are you using W10 or downlevel clients).
From Seamless sign-on FAQ
Azure AD Join (Hybrid or AAD Join) provides SSO to users if their devices are registered with Azure AD. These devices don’t necessarily have to be domain-joined. SSO is provided using primary refresh tokens or PRTs, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Edge browser. It also works on Chrome with the use of a browser extension.
You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.
Hope this helps. If you want to have a conversation or more information about this please reach me out from my email samilamppu@hotmail.com.
Best Regards,
Sami