Approximately two (2) years ago I wrote a blog post “Azure AD – Automatic DRS for Windows Domain joined devices”. At that time, world of cloud was a slightly different and pace of evolution has been staggering since then.
Nowadays, enabling Hybrid Domain Join (HDJ) is much easier process than two years ago. Now, you can execute all necessary tasks via Azure AD Connect instead of running multiple PowerShell commands and scripts (even I like it more). Of course the manual option is still available.
Benefit for registering devices to Azure AD is that you can use device identity in authentication process, (with Conditional Access policies).
As said, can be done via AAD Connect (AADC). First, open AADC and select configure device options
Information screen opens which shows the options for device configuration
Authenticate to Azure AD with Global Admin permissions
Select the options you want to configure, these are:
- Hybrid Azure AD join – on-prem devices are registered automatically to Azure AD
- Device writeback – devices are written from Azure AD to on-prem Active Directory
- Disable device writeback – disables writeback operation
Configure Service Connection Point (SCP)
- Select correct forest
- Select authentication service (AAD)
- Enter Enterprise Admin credentials – these are needed because SCP is created to on-prem AD configuration container
Select used Operating Systems
Open adsiedit.msc from machine which has Windows Server administrative tools installed and verify that “Device Registration” has been created to configuration container.
Keywords attribute should contain Azure AD name and ID.
That’s it. Pre-requirements done and you can continue to necessary Operating System configuration. If you have down-level devices in your environment check this link.