Steps to Configure Azure AD Join

Return to AZ-104 Tutorial Page

We will now discuss the steps to configure hybrid Azure Active Directory join (Azure AD join) for Active Directory domain-joined devices. In this topic, we will learn about the method that supports a managed environment including both on-premises Active Directory and Azure AD.

For instance, just like a user in an organization, a device is considered as a core identity that we want to protect. So, we can use a device’s identity to protect the resources at any time and from any location. Moreover, we can accomplish this goal by managing device identities in Azure AD. For this, we may use –

Azure AD join
Hybrid Azure AD join
Azure AD registration
This article focuses on hybrid Azure AD join.

User Productivity is maximized by bringing the devices to Azure AD through single sign-on (SSO) across our cloud and on-premises resources. We can secure access to our cloud and on-premises resources with Conditional Access at the same time.

Also, we can deploy a managed environment by using password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on. Such that these scenarios do not require to configure a federation server for authentication.

What are the prerequisites to Configure Azure AD Join?

Azure AD Connect (1.1.819.0 or later)
Credentials of a global administrator for Azure AD tenant
Enterprise administrator credentials for each of the forests

Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside the organization’s network:

Access to Internet Required

In case our organization requires access to the internet via an outbound proxy, then wecan use implementing Web Proxy Auto-Discovery (WPAD) to enable Windows 10 computers for device registration with Azure AD.
But in case we don’t use WPAD, then we can configure WinHTTP proxy settings on your computer beginning with Windows 10 1709.
Lastly, if our organization requires access to the internet via an authenticated outbound proxy. Since it is important to ensure that our Windows 10 computers can successfully authenticate to the outbound proxy.

Steps to Configure Hybrid Azure AD Join

We should provide the steps to configure a hybrid Azure AD join by using Azure AD Connect –

Firstly, start Azure AD Connect, and then select Configure.
Secondly, select Configure device options, and then select Next, in Additional tasks.
Next, select Next, in Overview.
Then enter the credentials of a global administrator for your Azure AD tenant, in Connect to Azure AD.
Now, select Configure Hybrid Azure AD join, and then select Next, in Device options.
In the sixth step, in SCP configuration, for each forest where you want Azure AD Connect to configure the SCP – Select the Forest, then Select an Authentication Service and thereafter Select Add to enter the enterprise administrator credentials. Click on Next.
Now in this step, select the operating systems that devices in your Active Directory environment use, and then select Next, in Device operating systems.
In this step, select Configure, In Ready to configure.
In Configuration complete, select Exit.

Enable Windows down-level devices

In case some of our domain-joined devices are Windows down-level devices, then we must –

Configure the local intranet settings for device registration
Configure seamless SSO
Install Microsoft Workplace Join for Windows down-level computers

Steps to Configure the local intranet settings

We shall now describe the Steps to Configure the local intranet settings for device registration. Now in order to complete hybrid Azure AD join of our Windows down-level devices as well as avoid certificate prompts when devices authenticate to Azure AD, we can push a policy to our domain-joined devices to add some of the defined URLs to the local intranet zone in Internet Explorer – https://device.login.microsoftonline.com and https://autologon.microsoftazuread-sso.com

Reference: Microsoft Documentation

Return to AZ-104 Tutorial