While I setup hybrid joined devices with ADFS authentication enabled a lot of time, which worked mostly well with the documents provided by Microsoft, I recently worked on a project where we need to join Windows 10 devices to Azure AD in an Password Hash Sync with Seamless Single Sign-On scenario.
Because I’m familiar with what to do I did not read the “Requirements” of the new documents well (yes of course my fault)
While you don’t need to synchronize Windows 10 clients with Azure AD Connect as devices in AAD when using ADFS authentication, I found out that it is a requirement for joining devices in an PHS/SSSO scenario which is of course stated in the documentation:
Verify that Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OU), then these OUs need to be configured for synchronization in Azure AD connect as well.
Why do I need this:
While in an ADFS setup we have the additional claims for devices authentication this, of course, will not work in a PHS or PTA with SSSO scenario, so the devices need to be able to authenticate, because it joins Azure AD in the context of the machine account.
This only applies to Windows 10 devices, because:
- Windows 7 and 8 can not be synchronized with Azure AD Connect
- Windows down-level devices join in the user context of the logged in account.
If you get the following error when running
dsregcmd /status /debug
you are maybe missing the device sync with AADC:
get_DefaultWebAccount returned nullptr. Default account is NOT set.