Hybrid equipment with Azure AD

hybrid equipment with Azure AD

We have had the possibility for many years to join a machine to an Active Directory domain. With cloud services (Office 365, Azure AD, …) identity management has become a very important point. Microsoft implemented in Windows 10, the functionality Azure AD Join (previously Workplace Join) allowing the junction of the machine in Azure AD Join.

Several hybridization scenarios can be implemented:

  • Device Writeback : To allow a computer join to Azure AD to access internal resources.
  • Azure AD hybrid : This scenario allows a computer attached to an AD domain to access cloud resources.

Prerequisite

Several prerequisites are necessary :

  • An Active Directory
  • Azure Active Directory (Premium Edition for Device Writeback)
  • One Azure AD Connect for synchronize Active Directory
  • Windows 10 1607 or later version

Several prerequisites are necessary for Azure AD Connect:

  • Public domain name add to a tenant
  • Active Directory Group created and contain all users that you want synchronize
  • Modify UPN for the user you want to synchronize

Install Azure AD Connect

First, it is necessary to download Azure AD Connect. You can use this link

Azure AD Connect

Proceed with the installation by running the previously downloaded file

Hybrid equipment with Azure AD

A wizard launches, check the box I agree to the license terms and privacy notice and click Continue.

Hybrid equipment with Azure AD

In the Express Settings window, click Customize.

Hybrid equipment with Azure AD

Click Install in the Install required components window to lauch Installation. In the User Sign-in window, leave Password Hash Synchronization checked and click Next.

Hybrid equipment with Azure AD

Enter the login and password of a tenant administrator in order to connect to Azure AD.

Hybrid equipment with Azure AD

In the Connect your directories window, click the Add Directory button to add the forest. Enter credentials and click to Continue.

Hybrid equipment with Azure AD

A domain name must be added and verified. Check Continue without any verified domains and click to Next.

Hybrid equipment with Azure AD

Click Next in the Domain and OU filtering and Uniquely identifying your users windows. Select the Synchronize selected radio button and enter the AD group name (this group contain user that you want synchronize). Click Resolve and then Next.

Hybrid equipment with Azure AD

Click Next and lauch configuration with Install button. Next you can attribute licence for your Users.

Hybrid equipment with Azure AD

Device Writeback

For this scenario, it is necessary to have EMS licenses. Mainly Azure AD Premium P1 and P2 licenses. Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next. On the Azure AD Connect server, launch a PowerShell console. Execute this command

  • Import-module ‘C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1’
  • Initilalize-ADSyncDeviceWriteback -domainname -AdConnectorAccount

The folder RegisteredDevices appear in the user and computer AD console.

Hybrid equipment with Azure AD

Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next.

Hybrid equipment with Azure AD

Enter the Azure AD administrator account credentials and click Next. In Device Options, check the radio button Configure device writeback.

Hybrid equipment with Azure AD

Select Active Directory Forest and click Next.

Hybrid equipment with Azure AD

Enter Credential of your Enterprise Administrator Active Directory and click Next.

Hybrid equipment with Azure AD

Click Configure to lauch configuration.

Hybrid equipment with Azure AD

The Writeback of the devices is now operational. Rewriting device objects in AD can take up few minutes. It is possible to check the correct synchronization of then the Active Directory Administrative Center console.

Hybrid equipment with Azure AD

Computer attached to Azure Active Directory have the ability to access internal resources without having to re-enter their credentials.

Azure AD hybrid

To activate the hybrid devices attached to Azure AD, it’s necessary to synchronize the computer objects of the devices that will become hybrid. The computer need to access to the Following URLs :

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com Autoriser
  • https://device.login.microsoftonline.com

We will first check the configuration of the service connection point. The service connection point (SCP) object is used during registration to detect Azure AD client information.

On the domain controller, run the PowerShell command

  • $scp = New-Object System.DirectoryServices.DirectoryEntry;
  • $scp.Path = « LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=Formation,DC=local »;
  • $scp.Keywords;

Replace DC=Training, DC=Local with your domain name. If a result is displayed, the SCP is correctly configured. If not, it is necessary to prepare the Active Directory forest by extending the Schema.

Hybrid equipment with Azure AD

After checking SCP, it is necessary to synchronize computer accounts. I have already installed Azure AD Connect, so I will modify the group security used for filtered synchronisation. I add on the group the AD computer account.

Hybrid equipment with Azure AD

Start synchronization after add account on the group.

It’s now possible to ask the machine to register in Azure AD. This can be done through a GPO, SCCM or manually.
From the Group Policy Manager console, create a new GPO and configure the Register domain joined computer as devices setting.
The parameter must have the value Enabled, it’s present in Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration

You need use ADMX for Windows 10

Hybrid equipment with Azure AD

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.