Hybrid equipment with Azure AD
We have had the possibility for many years to join a machine to an Active Directory domain. With cloud services (Office 365, Azure AD, …) identity management has become a very important point. Microsoft implemented in Windows 10, the functionality Azure AD Join (previously Workplace Join) allowing the junction of the machine in Azure AD Join.
Several hybridization scenarios can be implemented:
- Device Writeback : To allow a computer join to Azure AD to access internal resources.
- Azure AD hybrid : This scenario allows a computer attached to an AD domain to access cloud resources.
Several prerequisites are necessary :
- An Active Directory
- Azure Active Directory (Premium Edition for Device Writeback)
- One Azure AD Connect for synchronize Active Directory
- Windows 10 1607 or later version
Several prerequisites are necessary for Azure AD Connect:
- Public domain name add to a tenant
- Active Directory Group created and contain all users that you want synchronize
- Modify UPN for the user you want to synchronize
Install Azure AD Connect
First, it is necessary to download Azure AD Connect. You can use this link
Proceed with the installation by running the previously downloaded file
A wizard launches, check the box I agree to the license terms and privacy notice and click Continue.
In the Express Settings window, click Customize.
Click Install in the Install required components window to lauch Installation. In the User Sign-in window, leave Password Hash Synchronization checked and click Next.
Enter the login and password of a tenant administrator in order to connect to Azure AD.
In the Connect your directories window, click the Add Directory button to add the forest. Enter credentials and click to Continue.
A domain name must be added and verified. Check Continue without any verified domains and click to Next.
Click Next in the Domain and OU filtering and Uniquely identifying your users windows. Select the Synchronize selected radio button and enter the AD group name (this group contain user that you want synchronize). Click Resolve and then Next.
Click Next and lauch configuration with Install button. Next you can attribute licence for your Users.
For this scenario, it is necessary to have EMS licenses. Mainly Azure AD Premium P1 and P2 licenses. Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next. On the Azure AD Connect server, launch a PowerShell console. Execute this command
- Import-module ‘C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1’
- Initilalize-ADSyncDeviceWriteback -domainname -AdConnectorAccount
The folder RegisteredDevices appear in the user and computer AD console.
Device rewriting in Azure AD Connect must be enabled. Rerun the Installation Wizard and in the Additional Tasks window, select Configure Device Options, and click Next.
Enter the Azure AD administrator account credentials and click Next. In Device Options, check the radio button Configure device writeback.
Select Active Directory Forest and click Next.
Enter Credential of your Enterprise Administrator Active Directory and click Next.
Click Configure to lauch configuration.
The Writeback of the devices is now operational. Rewriting device objects in AD can take up few minutes. It is possible to check the correct synchronization of then the Active Directory Administrative Center console.
Computer attached to Azure Active Directory have the ability to access internal resources without having to re-enter their credentials.
Azure AD hybrid
To activate the hybrid devices attached to Azure AD, it’s necessary to synchronize the computer objects of the devices that will become hybrid. The computer need to access to the Following URLs :
- https://login.microsoftonline.com Autoriser
We will first check the configuration of the service connection point. The service connection point (SCP) object is used during registration to detect Azure AD client information.
On the domain controller, run the PowerShell command
- $scp = New-Object System.DirectoryServices.DirectoryEntry;
- $scp.Path = “LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=Formation,DC=local”;
Replace DC=Formation, DC=Local with your domain name. If a result is displayed, the SCP is correctly configured. If not, it is necessary to prepare the Active Directory forest by extending the Schema.
After checking SCP, it is necessary to synchronize computer accounts. I have already installed Azure AD Connect, so I will modify the group security used for filtered synchronisation. I add on the group the AD computer account.
Start synchronization after add account on the group.
It’s now possible to ask the machine to register in Azure AD. This can be done through a GPO, SCCM or manually.
From the Group Policy Manager console, create a new GPO and configure the Register domain joined computer as devices setting.
The parameter must have the value Enabled, it’s present in Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration
You need use ADMX for Windows 10