Hybrid Azure AD Join with Autopilot - Need clarification

Question

I set up an Autopilot with Hybrid AAD join profile along with the Domain Join configuration profile. I follow these steps to get signed initially:

1. From the initial Windows 10 screen, I Shift + F10 and open command prompt
2. Switch to powershell, set the execution policy, and install Get-windowsautopilotinfo
3. Run get-windowsautopilotinfo with the -online, -grouptag hybrid, and -Assign switches (The hybrid group tag adds to a security group that the hybrid aad j Autopilot profile is assigned to)
4. I sign in with my domain creds (or the user does as I add them to a role that allows enrollment)
5. Autopilot does its thing. I see the new pc in AD and in AAD I see the device listed as Azure AD joined.

We require machine certs that get installed when we use AnyConnect Start Before Logon. I did try signing in with username@keyman but i get a cannot connect to domain error. The steps that happen after this are:

1. Launch Start before logon module and log into the profile we have set up for this.
2. Sign in to the laptop with domain creds
3. run a gpupdate /force to make sure the cert downloads.
4. Expected apps start installing.
5. I do run a dsregcmd /status and it does not show a Yes for AzureAD join. The AAD device still reads as Azure AD joined. ???
6. Reboot once and it takes a while as apps, etc install.

Here is where it gets "messy".

I (or the user) gets prompted with an Account error and it requires our login again. I enter the domain account info and DUO info and then object in AAD changes from Azure AD join to Azure AD Registered.

There is a good chance my HAADJ setup is not 100%. Gonna take a look at those settings today. We are federated. I end up having a GPO run once these devices connect to VPN that adds the tenant ID and name to the registry. I usually run a dsregcmd /join just to move things along and I then end up with two items in AAD - the original one that was AAD Join that changes to AAD registered and the new HAADJ entry. I cannot delete the original one because it has the purple icon because of autopilot. If I delete the autopilot object, then I lose both entries.

Not sure what the end result of a hybrid azure ad join autopilot device should look like when all is said and done. I'm guess the hybrid ad join is not set up correctly as I should be able to sign in with the aad creds. Am I mistaken?

Answer 1

Hello @Matt Dillon ,

I was able to review this from Azure AD side.

Whenever a device gets hybrid AD joined. The device identity state would show as Azure AD registered and Hybrid Azure AD joined.
It's just the activity which keeps getting updated for Hybrid Azure AD joined entry.
The other entry stays as Azure AD registered (could not be deleted) to keep hold of object ID created post uploading the hash. This does helps in holding the device group membership as ZTDID is correlated to this object ID and would not be lost even if device is being autopilot reset.

Once device is setup as Hybrid AD joined, it will recognize you on-prem credentials. HAADJ endpoints are only "joined" top the on-prem AD domain and thus on-prem AD user credentials must be used. AAD Connect will sync your on-prem AD accounts to Azure AD so it may seem like you are using an AAD account to login, but you aren't and cannot. Thus, nothing changes about the login requirements for an HAADJ endpoint from a classic on-prem ADJ endpoint. Ref https://learn.microsoft.com/en-us/answers/questions/166093/autopilot-hybrid-join-but-can-users-sign-in-to-azu.html

Please do let me know if you have any further queries in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.