Configure Device Writeback feature

Configure Device Writeback feature

Hybrid device with Azure AD

We have had the possibility for many years to join a machine to an Active Directory domain. With cloud services (Office 365, Azure AD, …) identity management has become a very important point. Microsoft implemented in Windows 10, the functionality Azure AD Join (previously Workplace Join) allowing the junction of the machine in Azure AD Join.

Several hybridation scenarios can be implemented:

  • Device Writeback : To allow a computer join to Azure AD to access internal resources.
  • Hybrid AD Join : This scenario allows to join a computer in Azure AD and Active Directory.

Prerequisite

Several prerequisites are necessary :

  • An Active Directory
  • Azure Active Directory (Premium Edition for Device Writeback)
  • One Azure AD Connect for synchronize Active Directory
  • Windows 10 1607 or later version

Several prerequisites are necessary for Azure AD Connect:

  • Public domain name add to a tenant
  • Active Directory Group created and contain all users that you want synchronize
  • Modify UPN for the user you want to synchronize

Install Azure AD Connect

First, it is necessary to download Azure AD Connect. You can use this link

Azure AD Connect

Proceed with the installation by running the previously downloaded file.

Hybrid device with Azure AD

A wizard launches, check the box I agree to the license terms and privacy notice and click Continue.

Wizard appear

In the Express Settings window, click Customize.

Hybrid AD Select Customize solution

Click Install in the Install required components window to lauch Installation. In the User Sign-in window, leave Password Hash Synchronization checked and click Next.

Select Authentification method

Enter the login and password of a tenant administrator in order to connect to Azure AD.

Enter credential of user

In the Connect your directories window, click the Add Directory button to add the forest. Enter credentials and click to Continue.

Hybrid Device connect AD

A domain name must be added and verified. Check Continue without any verified domains and click to Next.

Verify UPN

Click Next in the Domain and OU filtering and Uniquely identifying your users windows. Select the Synchronize selected radio button and enter the AD group name (this group contain user that you want synchronize). Click Resolve and then Next.

Select ad groups for filter synchronization

Click Next and lauch configuration with Install button. Next you can attribute licence for your Users.

Hybrid AD Finish synchronisation

Device Writeback

For this scenario, it is necessary to have EMS licenses. Mainly Azure AD Premium P1 and P2 licenses. Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next. On the Azure AD Connect server, launch a PowerShell console. Execute this command.

  • Import-module ‘C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1’
  • Initilalize-ADSyncDeviceWriteback -domainname -AdConnectorAccount

The folder RegisteredDevices appear in the user and computer AD console.

Add UPN on Active Directory

Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next.

Configure device option

Enter the Azure AD administrator account credentials and click Next. In Device Options, check the radio button Configure device writeback.

Configure device writeback

Select Active Directory Forest and click Next.

Select writeback for devices

Enter Credential of your Enterprise Administrator Active Directory and click Next.

Select Device container

Click Configure to lauch configuration.

Configure writeback device

The Writeback of the devices is now operational. Rewriting device objects in AD can take up few minutes. It is possible to check the correct synchronization of then the Active Directory Administrative Center console.

Device present on AD

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.