Setup Hybrid Azure Active Directory and Login For Your Client Machines - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Saturday, November 6, 2021

Setup Hybrid Azure Active Directory and Login For Your Client Machines

After you configured your on-prem domain (Local AD DS) to sync with Azure Active Directory (AAD), next step is to get your clients to choose which one to log in, you can use only local AD or only Azure AD or both.

By default, after you completed your ADConnect setup, as instructed in previous post "Set Up On-Prem Domain For Identity Synchronization With Azure AD (AAD)", you will not be in Hybrid mode, which means you only can choose either local AD or AAD to log in, but not both as shown below screenshot:

In this post, I am going to show you the steps how you can enable this Hybrid AD login for your client machines.

More details can be found from Microsoft doc: Tutorial: Configure hybrid Azure Active Directory join for managed domains

Basically if you have an on-premises Active Directory (AD) environment and you want to join your AD domain-joined computers to Azure AD, you can accomplish this by doing hybrid Azure AD join. 


This is assume ADConnect configuration has been completed, user is able to log in with AAD account.

Following post shows all steps to configure on-prem domain to sync with AAD.

Since Hybrid mode has been enabled, if you machine has not been joined into local AD, you should be able to directly join into AAD like shows in following screenshot:

If you joined into domain already, you might want to dis-join it from local ad first, then join into AAD. Vice versa for the machine already joined AAD, you will disconnect from AAD to join into local AD. Not having both joined at the same time, since hybrid mode not enabled.

Enable Hybrid Mode

To configure a hybrid Azure AD join by using Azure AD Connect:

  1. Start Azure AD Connect, and then select Configure.

  2. In Additional tasks, select Configure device options, and then select Next. This will configure device registration (Hybrid Azure AD join) and synchronization (device writeback).

    Additional tasks

  3. In Overview, select Next.

  4. In Connect to Azure AD, enter the credentials of a global administrator for your Azure AD tenant.

  5. In Device options, select Configure Hybrid Azure AD join, and then select Next.

    Device options

  6. In Device operating systems, select the operating systems that devices in your Active Directory environment use, and then select Next. Usually Choose Windows 10 or later. If you have Windows 8 or Windows 7 machines, you will need to choose both.

    Device operating system

  7. In SCP (Service Connection Point) configuration, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.

    1. Select the Forest.
    2. Select an Authentication Service, which usually is Azure AD.
    3. Select Add to enter the enterprise administrator credentials.


  8. In Ready to configure, select Configure.

  9. In Configuration complete, select Exit.

Get Machine Join into AAD and Local AD

No matter if you machine has joined into AAD or local AD or none of them, you can get your machine to join into both and use both of them to log in. 

After joined into both, you can switch to either one of log in methods to log into your machine.

If they are same user, you will use same profile after logged in. If they are different user, they will use different profile.


Can not run Azure AD Connect because Sync Service not running. 

Cannot proceed because the Sync Service is not running. Start the 'ADSync' service and restart the AADConnect wizard to continue.

In my case the Microsoft Azure AD sync service was not started. You can see that from the service status. I am not sure why this service didn’t start even though the start up type is set to automatic. Right click Azure AD sync service and click Start.

Sometimes, issue might relating to sync accounts. You can reset the accounts using program "Synchronization Service" from Program Group "Azure AD Connect":

If you found one of your connectors showing failed authentication, then something wrong with the account using to sign in that directory service.
Right click the problem connector, and choose Properties:

You can change that account configuration and re-enter a new username / password. 

Verification for Hybrid Join

Locally on the device

  1. Open Windows PowerShell.
  2. Enter dsregcmd /status.
  3. Verify that both AzureAdJoined and DomainJoined are set to YES.
  4. You can use the DeviceId and compare the status on the service using either the Azure portal or PowerShell.

AzureAdJoined cmd

If your machine has joined AAD, you might need to disconnect AAD then join to local AD first. 

If experience an issue to join Machine into AAD with Hybrid Azure Join configuration, it is mostly because you have not sync the computer to AAD environment yet.

Error message:

The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c03f3. 

Activity Id: 070db31a-28ab-4343-b4d6-17e6b772eb8c 

The server returned HTTP status: 400 

Server response was: {"code":"invalid_request","subcode":"error_missing_device","message":"The device object by the given id (3b0b3d5d-65bb-47ca-82f7-23f6bc32948a) is not found.","operation":"DeviceRenew","requestid":"070db31a-28ab-4343-b4d6-17e6b772eb8c","time":"03-26-2022 21:00:10Z"}


No comments:

Post a Comment