6.1.2 Setting Up Automatic Hybrid Azure AD Join for Windows Devices

Perform the following tasks to set up automatic device registration for Windows devices:

  1. Preparing Azure AD for Automatic Hybrid Azure AD Join

  2. Configuring Access Manager for Automatic Hybrid Azure AD Join

  3. Validating Hybrid Azure AD Join

  4. Verifying Device Registration Status

Prerequisites for Automatic Hybrid Azure AD Join

You must complete the following tasks before implementing hybrid Azure AD join:

Your environment must meet the following requirements:

  • Access Manager 4.5 Service Pack 1 or later is installed.

  • The federation is established between Access Manager and Office 365 domain with appropriate subscriptions. See Configuring Single Sign-On for Office 365 Services.

  • (Optional) Set up SSO from iOS apps to Office 365 services. For more information, see the Knowledge Base article.

  • Azure AD Connect is setup for Active Directory synchronization with Azure AD.

Preparing Azure AD for Automatic Hybrid Azure AD Join

Perform the following tasks to prepare Azure AD for Automatic Hybrid AD Join:

  1. Installing Azure AD Connect

  2. Configuring Device Options

  3. Configuring Enterpriseregistration CNAME on your DNS server

  4. Enabling Devices to be Registered with Azure AD

Installing Azure AD Connect

Install and configure Azure AD Connect on the Windows Server that you want to make the sync server.

  1. Download AzureADConnect.msi.

  2. Launch AzureADConnect.msi.

  3. Click Customize > Install.

  4. After the required components are installed, the User sign-in page appears. Select Do not configure.

    NOTE:If Azure AD Connect is already installed, you can configure it in Azure AD Connect by clicking Change user sign-in > Next.

  5. On the Connect to Azure AD page, specify your Azure AD global admin account and password.

  6. On the Sync > Connect Directories > Connect to your Active Directory Domain Service page, perform the following actions:

    1. In DIRECTORY TYPE, select Active Directory.

    2. In FOREST, specify the name of the forest.

    3. Click Add Directory.

    4. Select Use existing account.

    5. Specify the Active Directory Domain Services (AD DS) enterprise administrator credentials.

    6. Click Next.

  7. On the Sync > Azure AD sign-in > Azure AD sign-in configuration page, select Continue without matching all UPN suffixes to verified domains.

  8. On the Configure > Ready to configure page, select Start the synchronization process as soon as the configuration completes.

  9. Click Install.

For detailed information about how to install and configure it, see Custom installation of Azure AD Connect.

Configuring Device Options

  1. Run Azure AD Connect.

  2. Under Tasks, select Configure device options.

  3. Click Next.

  4. Specify your Azure AD global administrator credentials.

  5. Select Configure Hybrid Azure AD join.

  6. Click Next.

  7. On the Device operating systems page, select the following options:

    • Windows 10 or later domain-joined devices

    • Supported Windows downlevel domain joined devices

  8. Click Next.

  9. On the SCP page, perform the following steps to configure the service connection point for each forest:

    1. Select the forest.

    2. Select the authentication service.

    3. Click Add and specify the enterprise administrator credentials.

  10. Click Next.

  11. On the Ready to configure page, click Configure.

Configuring Enterpriseregistration CNAME on your DNS server

For information about how to configure Enterpriseregistration CNAME, see Create DNS records for Office 365 using Windows-based DNS.

Enabling Devices to be Registered with Azure AD

  1. Log in to the Azure portal as an administrator.

  2. In the left pane, select Active Directory.

  3. Under Manage, click Devices > Device Settings.

  4. Select All for Users may register their devices with Azure AD policy.

    For more information, see How to manage devices using the Azure Portal.

Configuring Access Manager for Automatic Hybrid Azure AD Join

  1. Configure the Active Directory userstore if the existing Active Directory user store’s search context does not contain the computers DN.

    1. Click Devices > Identity Servers > Edit > Local > User Stores.

    2. Click New.

    3. Specify user store’s IP address and credentials, replica details, and add the search context where domain joined computers exists. For example, CN=computers, DC=cloudtest, DC=info.

      For more information configuring a user store, see Configuring Identity User Stores.

  2. Create a Kerberos class. See Creating the Authentication Class, Method, and Contract.

  3. Create a Kerberos method for the existing Kerberos class.

    1. Click Devices > Identity Servers > Edit > Local > Methods.

    2. Click New.

    3. Specify a name, select the Kerberos class, and then select the user store created in Step 1.

    4. Click OK.

  4. Configure WS-Trust STS.

    1. Click Devices > Identity Servers > Edit > WS-Trust > STS Configuration.

    2. Under Authentication Methods, move the Kerberos method created in Step 3 from Available Authentication Methods to Selected Authentication Methods.

    3. Click OK.

  5. Edit the following file:

    On Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml

    On Windows: C:\Program Files\Novell\Tomcat\webapps\nidp\WEB-INF\web.xml

  6. Add the NetIQSTS12MEX Servlet with the following details:

    <servlet>
  <servlet-name>NetIQSTS12MEX</servlet-name>
  <jsp-file>/jsp/mex.jsp</jsp-file>
  <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
  <servlet-name>NetIQSTS12MEX</servlet-name>
  <url-pattern>/wstrust/sts/mex</url-pattern>
</servlet-mapping>

    NOTE:Ensure to comment out the following Servlet mapping:

    <!--
<servlet-mapping>
  <servlet-name>NetIQSTS</servlet-name>
  <url-pattern>/wstrust/sts/mex</url-pattern>
</servlet-mapping>
-->

  7. Restart Identity Server.

Validating Hybrid Azure AD Join

You can control what devices can join to Azure AD automatically by using a group policy. To achieve this, perform the steps that are mentioned in Controlled validation of hybrid Azure AD join.

When you complete these steps, domain-joined devices are automatically get registered with Azure AD. When the device restarts, the automatic registration to Azure AD is completed.

Verifying Device Registration Status

Verifying the Status on a Windows Device

Perform the following steps on the Windows 10 device to check the device registration status:

  1. Open a Windows PowerShell prompt.

  2. Run the following command:

    dsregcmd.exe /status

  3. Verify that the following parameters have the corresponding values:

    Parameters under Device State

    • Azure DA Joined: YES

    • Domain Joined: YES

    Parameters under User State

    • WorkplaceJoined: NO

    • WamDefaultSet: YES

    Parameter under SSO State

    • Azure AD PRT: YES

    The following is an example:

Verifying the Status on the Azure Portal

You can verify the status of the device registration on the Azure Portal > Azure Active Directory and Devices.

Or, you can check the status by using the PowerShell command:

  1. Open Microsoft Azure Active Directory Module for Windows PowerShell.

  2. Run the following command to connect to your Azure Active Directory tenant:

    Connect-MsolService

  3. Specify the Azure AD administrator’s credentials.

  4. Run the following command:

    • To verify the status of all registered devices: Get-MsolDevice -All

    • To verify the status of a specific device using DeviceID: Get-MsolDevice -DeviceID "<device_id_value>"