How to configure Hybrid Azure AD Join without ADFS for Office 365 and Co-Management Activities– Part 2

In part 1 of this series on setup hybrid Azure AD Join without ADFS , we talked about Hybrid Azure AD ,prerequisites on how to configure device options.

In part 2 of this series in post ,we will see how to configure 2nd prerequisite i.e enable Seamless Single Sign ON through Azure AD Connect that would complete the steps required devices to be Hybrid Azure AD join.

Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) will automatically signs in users when they are on their corporate desktops that are connected to your corporate network.

Seamless SSO provides your users with easy access to your cloud-based applications without needing any additional on-premises components.

Run Azure AD connect again and this time ,On the additional tasks ,choose change user sign-in

On the Connect to Azure AD page, enter the credentials of a global administrator for your Azure AD tenant.

On the user sign-in page ,choose  Enable single sign-on (leave the rest of the options default) and click Next

You will be prompted to enter domain admin credentials and will show tick mark in green color

On the Ready to Configure ,click Configure

You will see configuration complete.

Once you exit  ,go to your active Directory users and computers ,in computers OU ,you will see computer object created with name AZUREADSSOACC in each AD forest.

Seamless SSO creates a computer account named AZUREADSSOACC (which represents Azure AD) in your on-premises Active Directory (AD) in each AD forest. This computer account is needed for the feature to work. Move the AZUREADSSOACC computer account to an Organization Unit (OU) where other computer accounts are stored to ensure that it is managed in the same way and is not deleted.

Follow these instructions to verify that you have enabled Seamless SSO correctly:

1. Sign in to the Azure Active Directory administrative center with the global administrator credentials for your tenant.
2. Select Azure Active Directory in the left pane.
3. Select Azure AD Connect.
4. Verify that the Seamless single sign-on feature appears as Enabled.

Since we have windows 7 devices in domain, we need make some changes in Azure AD to allow  Windows down-level devices registered.

In the Azure portal, you can find this setting under:

Azure Active Directory > Devices > Device settings

The following policy must be set to All: Users may register their devices with Azure AD

Configure the local intranet settings for device registration

To successfully complete hybrid Azure AD join of your Windows down-level devices (windows 7) , and to avoid certificate prompts when devices authenticate authenticate to Azure AD you can push a policy to your domain-joined devices to add the following URLs to the Local Intranet zone in Internet Explorer:

• https://device.login.microsoftonline.com
• https://autologon.microsoftazuread-sso.com.

With this ,we completed the setup for Hybrid Azure AD join.

End user results:

On Windows 7:

Now we will test hybrid Azure AD join on both windows 10 and windows 7.

For windows 7 ,to do hybrid Azure AD join ,you need Microsoft workplace join which you can download from https://www.microsoft.com/en-us/download/details.aspx?id=53554 .

This small utility can be deployed from SCCM or you can install manually .

Install the workplace join ,once it is installed ,task schedule is created and it runs every time user login to the PC.

For now ,open cmd ,change the directory to “C:\Program Files\Microsoft Workplace Join”

Run AutoWorkplace.exe /i

It will take few sec to find the DRS service and get the device registered in Azure AD . Following screen show ,hybrid Azure AD join successful .

If you go to Azure AD portal ,under devices, you will see this device listed there.

If you hit any issues here ,try to look at event viewer for error  Log Name: Microsoft-Workplace Join/Admin

If hybrid Azure AD join is successful then you will see following entry with event ID: 201

Workplace join operation succeeded. Activity Id: 00000000-0000-0000-0000-000000000000
Registration Service URI: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc

I have a blog on troubleshooting workplace join issues http://eskonr.com/2018/06/office-365-connectivity-issues-an-error-occurred-when-trying-to-join-your-device-to-your-organisation-workplace/ and http://eskonr.com/2018/06/workplace-join-hybrid-azure-ad-join-for-windows-failed-with-error-code-unknown/

Windows 10:

For windows 10 ,there is no workplace join or any other tool available for hybrid Azure AD join ,it is inbuilt to windows 10.

If you have any proxy to connect to internet on these windows 10 devices ,you should have startup script with the proxy configuration as hybrid azure AD join run with system account during the computer startup.

Below is the simple batch script that can be configured through GPO as startup script .

netsh winhttp set Proxy <your proxy server IP>:8080 bypass-list="*.apac.eskonr.com,*.group.local"

When you configure the proxy ,make sure you can telnet to the port from windows 10 device else hybrid Azure AD join wont work.

If you do not have any proxy like me in my lab ,just reboot windows 10 device .

After you reboot windows 10 ,open cmd ,type dsregcmd /status

If the hybrid Azure AD join is successful ,you will see results like below with AzureADJoin=Yes

If you do not see the above results then troubleshooting is required.

How do we troubleshoot and what the logs ?

Check the logs in event viewer:

Microsoft->Windows->User Device Registration/Admin

Before the Windows 10 Device Reboot:

Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0x80072ee7. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: sync
tenantType: managed
tenantId: 3992590e-6f9b-4aa1-aa9f-d7717c111b07
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0

After the Win10 device reboot ,here is the status:

Windows Hello for Business provisioning will be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: No
Machine is governed by none policy.
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

If you are using proxy and still have issues,you will have to install network monitor tool (Microsoft) and fiddler to trace what's going on. This is more of advanced troubleshooting and am not covering it here.

If you go back to Azure AD portal ,Click on Azure Active Directory –>Devices ,on all Devices ,you will see Join Type ‘Hybrid Azure AD Join’

Once you have this completed, you can start playing with Conditional Access policies with access control ‘Require Hybrid Azure AD Joined Device’ as shown below.

Hope you enjoyed reading the guides on how to setup Hybrid Azure AD join without ADFS.

You are now good start configuring Co-management in Configmgr 1710 and above. For more information on Co-management ,please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

Reference guides:

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-quick-start

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-faq