We have had the possibility for many years to join a machine to an Active Directory domain. With cloud services (Office 365, Azure AD, …) identity management has become a very important point. Microsoft implemented in Windows 10, the functionality Azure AD Join (previously Workplace Join) allowing the junction of the machine in Azure AD Join.
Several hybridation scenarios can be implemented:
- Device Writeback : To allow a computer join to Azure AD to access internal resources.
- Hybrid AD Join : This scenario allows to join a computer in Azure AD and Active Directory.
Several prerequisites are necessary :
- An Active Directory
- Azure Active Directory (Premium Edition for Device Writeback)
- One Azure AD Connect for synchronize Active Directory
- Windows 10 1607 or later version
Several prerequisites are necessary for Azure AD Connect:
- Public domain name add to a tenant
- Active Directory Group created and contain all users that you want synchronize
- Modify UPN for the user you want to synchronize
Install Azure AD Connect
First, it is necessary to download Azure AD Connect. You can use this link
Proceed with the installation by running the previously downloaded file.
A wizard launches, check the box I agree to the license terms and privacy notice and click Continue.
In the Express Settings window, click Customize.
Click Install in the Install required components window to lauch Installation. In the User Sign-in window, leave Password Hash Synchronization checked and click Next.
Enter the login and password of a tenant administrator in order to connect to Azure AD.
In the Connect your directories window, click the Add Directory button to add the forest. Enter credentials and click to Continue.
A domain name must be added and verified. Check Continue without any verified domains and click to Next.
Click Next in the Domain and OU filtering and Uniquely identifying your users windows. Select the Synchronize selected radio button and enter the AD group name (this group contain user that you want synchronize). Click Resolve and then Next.
Click Next and lauch configuration with Install button. Next you can attribute licence for your Users.
For this scenario, it is necessary to have EMS licenses. Mainly Azure AD Premium P1 and P2 licenses. Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next. On the Azure AD Connect server, launch a PowerShell console. Execute this command.
- Import-module ‘C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1’
- Initilalize-ADSyncDeviceWriteback -domainname -AdConnectorAccount
The folder RegisteredDevices appear in the user and computer AD console.
Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next.
Enter the Azure AD administrator account credentials and click Next. In Device Options, check the radio button Configure device writeback.
Select Active Directory Forest and click Next.
Enter Credential of your Enterprise Administrator Active Directory and click Next.
Click Configure to lauch configuration.
The Writeback of the devices is now operational. Rewriting device objects in AD can take up few minutes. It is possible to check the correct synchronization of then the Active Directory Administrative Center console.