What is Hybrid Azure AD Joined device | A step by step demo to Hybrid Join a device in Azure AD

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys I hope you all are doing well and welcome to the next video of the series of azure active directory in the last video we talked about Azure Adu joint devices I demonstrated you how to join a device with Azure ad during operating system installation and post operating system installation we verified this certificate that is pushed to the device during joining process and we verified the Event Viewer logs those are generated during the joining process in this particular video we are going to talk about hybrid Azure ad joint devices we will discuss what is hybrid Azure ad joint device we will discuss the prerequisites those are required to be met and then I will demonstrate to you how to configure a device as hybrid Azure 80 joint if you go by definition hybrid Azure radio join device is a device that is joined with on-premise active directory domain and is registered with Azure active directory now the equation arises what is the purpose of joining a device with on-premise ad domain and registering the same device with Azure ad as well so let's consider one example and let's understand this concept when we join a device with on-premise ad domain a device object is created in active directory for that particular device you can find that object in active directory under computers for you and when this object is created you can apply group policies on this device or you can apply other policies in your on-premise ad now let's say you want to use cloud services or you want to apply Cloud policies on this device for example InTune policies seamless single sign-on or conditional access policies so like you applied group policy in on-premise ad to a device object same way you need a device object or a device identity in Azure ID as well so that means when you will register or join the same device with Azure ad a device identity will be created in Azure ad for that device and once a device identity is created you can apply Cloud policies on this device so this is the purpose of enrolling a device as hybrid Azure ad join now let's understand the prerequisites for configuring a device as hybrid Azure ad join you need to make sure that you are using the latest version of azure ready connect while configuring Azure ready connect for hybrid Azure 80 join you need to add the ous within the syncing scope where the devices are stored you need credentials of global administrator account of your Azure ad tenant and the Enterprise admin credentials of on-premise ad before you configure Azure ID connect make sure that below URLs are allowed in your network and you need to make sure that your devices are using a supported operating system so now let's move towards our lab and let's meet all the prerequisites and let's configure a device as hybrid Azure ad joint this is my domain controller that I'm going to use for this particular demo I have already installed Azure ad connect on This Server so let's meet all the prerequisites one by one and first let's create the group policy so we will go to group policy management so with the help of Group Policy we will allow the URLs within our Network so under group policy management you will right click default domain policy then click edit Under Computer configuration you will go to policies then go to administrative templates expand Windows components and expand Internet Explorer internet control panel and click security page on the right side you will double click on site to Zone assignment list let's maximize the page so first you will enable this policy and then you will click show next to enter these on assignments here on this particular window you will add certain URLs so you can refer to the article that says configure hybrid Azure ID join in this article you will find these four URLs that you need to add under this policy so let's copy these URLs one by one add it here and value will be 1 for all the urls let's add the second one the value will be 1. let's copy the last URL and click ok apply and click OK if you want to verify you can double click on this policy and make sure this is set to enabled click on show and we can see these four URLs with value 1. so this part is done next we will add the organizational unit in syncing scope so let me close this so let's go to azure 80 connect synchronization service so first let me show you the OU go to users and computers when you join a machine with on-premise ad the device identity is created under computers OU as of now you do not see any device here because the client machine that I will be using for hybrid Azure ID join this client machine is not joined to my on-premise idiot so once I will join the device after that this device will be reflecting under computer's OU so what we need to do we need to make sure these computers for you is within the syncing scope that means Azure ready connect should sync this particular OU so let's go to synchronization service manager go to connectors and double click on your on-premise connector and go to directory partitions or configure directory partitions click on containers now here you need to type the credentials of your on-premise Enterprise administrator so here you can see all the OU's those are available within your on-premise active directory you can see on the left side now here you need to make sure this computer's OU is within syncing score so check this OU click ok click OK again and click ok and if you want to verify the version of azure ready connect you can click help click about and here you can see the version of azure ready connect that you are using within your on-premise environment so we have met all the prerequisites and for client I'm using Windows 10 that is the supported version for hybrid Azure ID join so let's close this wizard and let's minimize this now let's go to Azure ID connect wizard on the welcome page you will click configure and then you will click configure device options click next click next here you will type the password for Global administrator of your Azure ID tenant by default configure hybrid Azure ID join option will be selected so no changes are required here click next under device operating system you will select the operating system versions that you will be using for hybrid Azure ID join for your devices so I will select both and click next now here we will select the service connection point for hybrid Azure ID joint devices so check this option this is your Azure ad domain and the domain that you're using in on-premise active directory authentication Service will be Azure active directory and under Enterprise administrator click add and here type the credentials of your on-premise Enterprise administrator so the on-premise Enterprise administrator account is added now what basically we are doing under this wizard is here we are creating one service connection point this service connection point will be used by the on-premise devices to locate the Azure ad tenant I will show you how to find this service connection point so once you have made the changes once you have added the credential all the changes are made click next on the page where it says ready to configure click configure so it says configuration complete the task to configure hybrid Azure 80 join completed successfully you must now carry out additional steps and now let me show you this service connection point that is created during Azure ad configuration so go to Windows administrative tools and go to adsi edit let me remove this first so under adsi edit you will right click connect to and here select configuration click ok now expand your domain expand it and go to services and here we can see device registration configuration so this is the service connection point that is created you can see here the value is class service connection point now if you want to check the properties of this service connection point you will right click and then go to properties and here you can see all the attributes under keywords you can see your Azure ad tenant name this is the initial domain for my case it is Office 365 cptss.onmicrosoft.com and this is my tenant ID so these values are used by the on-premise devices to locate your Azure ad tenant now one of the most important Concept in hybrid Azure 80 join is Task scheduler so let's go to client machine and go to start and then type task scheduler let's maximize this now here you will expand task scheduler Library expand Microsoft expand windows and here you will look for workplace join this one now here you will see one task that says automatic device join this task is responsible to join the devices automatically with Azure ad as of now we can see the status for this task is disabled because the client machine this machine is not joined with on-premise active directory once I will join this device with on-premise ad domain this task will start automatically and this device will try to register itself with Azure ad so let me minimize this and now let's try to join this device with on-premise ad so let's go to properties so this device is joined with on-premise domain now let's restart this device so now let's go to task scheduler let's maximize this expand it Microsoft Windows and look for workplace join and now we can see this task is in ready state when this task is in ready State this device will contact Azure ad to get a certificate and once this device gets a certificate from Azure ad it will store the public key of this certificate in its device object in local ad so let's go to domain controller let me close this and let's refresh so we can see one device identity is created this is the hostname of this client machine let's go to command prompt and type host name you can see here hybrid aad join hybrid aad join so this is the device identity for this client machine now let me show you this certificate double click on the device object go to properties and then go to attribute editor and here you will look for attribute that says user certificate so this is the certificate that this device has got from Azure active directory now you can come across an issue where device is not getting synchronized in Azure ad and one of the reasons for this particular issue is this certificate if this particular certificate is not reflecting under user certificate attribute Azure ID connect will not synchronize that particular device to Azure ad and the reason is within Azure ID connect there is a rule defined in synchronization rules that if a device do not have a certificate under user certificate attribute do not sync that device to Azure ad so if you are facing any problem that device is not syncing always check if that particular device has this certificate or not so now let's go to client machine and let's check this status of this particular device so let's run dsreg CMD slash status and here we can see domain joint yes that means it is joined with on-premise ad domain and Azure ad joined says yes so now this particular device is hybrid Azure ad join because this is joined to on-premise as well and it is joined to Azure active directory also now let's go to Azure active directory and let's verify the device identity let's go to devices all devices and here we can see one device with hostname hybrid aad join and the join type says hybrid Azure 80 joint let's click on this device identity this is the device ID and you can see the Windows operating system version enabled yes type says hybrid Azure ID joint now the device ID is d947 let's go to users and computers double click on the device identity in on-premise ad go to attribute editor and here look for object grid so this is the object grid of this particular device identity d947 t947 so this is the same device that is synchronized from on-premise ad to Azure active directory so this is how you can configure your devices as hybrid Azure ad join in the next video we will be discussing Azure ad seamless single sign-on or Azure ad SSO we will discuss what is azure ID SSO how does it work what are the prerequisites for using this feature and I will demonstrate you practically how to configure Azure ad seamless single sign-on so if you have learned something new from this particular video please write in comments and subscribe to the channel and please share this channel within your community thank you guys thank you for your time take care

Info

Channel: Office365Concepts

Views: 14,319

Rating: undefined out of 5

Keywords: what is, how to, tutorials, hindi videos, azure ad in hindi, azure in hindi, azure ad videos in hindi, azure videos in hindi, what is azure ad, what is hybrid azure ad joined device, what is hybrid joined device, what is hybrid join, what is hybrid join device, how to hybrid join device, hybrid join, hybrid join in azure ad, how hybrid azure ad work, azure ad connect hybrid, hybrid azure ad connect, what is azure ad connect, device, device management, devices, azure ad device

Id: O1QgDjop8mk

Channel Id: undefined

Length: 18min 32sec (1112 seconds)

Published: Tue Dec 06 2022