Note-to-self: Azure AD hybrid join Windows 10 devices with PHS and SSSO, don’t forget to sync devices


While I setup hybrid joined devices with ADFS authentication enabled a lot of time, which worked mostly well with the documents provided by Microsoft, I recently worked on a project where we need to join Windows 10 devices to Azure AD in an Password Hash Sync with Seamless Single Sign-On scenario.

Because I’m familiar with what to do I did not read the “Requirements” of the new documents well (yes of course my fault)

While you don’t need to synchronize Windows 10 clients with Azure AD Connect as devices in AAD when using ADFS authentication, I found out that it is a requirement for joining devices in an PHS/SSSO scenario which is of course stated in the documentation:

Fromhttps://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains#prerequisites

Verify that Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OU), then these OUs need to be configured for synchronization in Azure AD connect as well.

 

Why do I need this:

While in an ADFS setup we have the additional claims for devices authentication this, of course, will not work in a PHS or PTA with SSSO scenario, so the devices need to be able to authenticate, because it joins Azure AD in the context of the machine account.

This only applies to Windows 10 devices, because:

  1. Windows 7 and 8 can not be synchronized with Azure AD Connect
  2. Windows down-level devices join in the user context of the logged in account.

 

Conclusion:

If you get the following error when running

dsregcmd /status /debug

you are maybe missing the device sync with AADC:

get_DefaultWebAccount returned nullptr. Default account is NOT set.

 

 

Author: Peter Stapf

Senior Consultant Identity and Access

6 thoughts on “Note-to-self: Azure AD hybrid join Windows 10 devices with PHS and SSSO, don’t forget to sync devices”

  1. Peter, I am on the same path now, want to migrate from ADFS w/ Hybrid AAD Join already functional, to Pass-Through Authentication w/ Hybrid AAD Join.

    Currently, any machine that has the GPO set to Register in AAD, is properly registered and appears in Intune.

    What is the additional option that I need to set so this still works after migration?

    I can’t seem to find a clear guidance on this.

    Thanks

  2. Make sure that your Azure AD Connect has the OU includes to join computer objetcs to Azure AD. Win10 machines register in the context of the computer therefore the computer need to authenticate to Azure AD.
    In your current solution with ADFS you added some additional claims when you enabled the hybrid join

  3. we seem the “get_DefaultWebAccount returned nullptr. Default account is NOT set.” issue when our users use the smartcard login. For some reason the link between smartcard user and hybrid AD computer object is lost.

    A device ID is not sent to azure AD and conditional access doesn’t work.

    As soon as the user logs in with password, everything works fine. do we need to configure some additional settings on the user account?

  4. Great stuff Peter. I have a small query here. We currently have Azure AD connect installed with the older version which sync almost everything(All Users and All Computer objects). All the computers show as Hybrid AD join in Azure portal however they are actually not probably because we didnt have configured Hybrid Azure AD in Azure connect. Now we are actually doing a couple of stuff here in my organization. First is to update Azure AD connect and change the Federated domain to managed domain(PTA). Once the authentication method is changed, we will enable the Hybrid Azure AD join and this is what i am confused with. Lets say we configure the hybrid Azure AD join in Azure AD connect but we dont configure GPOs to enable/disable to Automatic registration. First question is do we actually require the GPOs to enable/disable automatic registration. Shouldn’t configuring the Hybrid Azure AD through Azure AD connect take care of it or do we have to have the GPOs in place to enable the automatic registration? Any help will be greatly appreciated. Thanks

    1. Hello, with the GPO you can control which devices to join, but for Win10 the default is enabled when nothing is configured.
      So if you need to control the join, you first need to disable join for all devices and then enable it for some.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.