|
1 | 1 | --- |
2 | | -title: Control the hybrid Azure AD join of your devices | Microsoft Docs |
3 | | -description: Learn how to control the hybrid Azure AD join of your devices in Azure Active Directory. |
4 | | -services: active-directory |
5 | | -documentationcenter: '' |
6 | | -author: MicrosoftGuyJFlo |
7 | | -manager: daveba |
8 | | -editor: '' |
| 2 | +title: Controlled validation of hybrid Azure AD join - Azure AD |
| 3 | +description: Learn how to do a controlled validation of hybrid Azure AD join before enabling it across the entire organization all at once |
9 | 4 |
|
10 | | -ms.assetid: 54e1b01b-03ee-4c46-bcf0-e01affc0419d |
| 5 | +services: active-directory |
11 | 6 | ms.service: active-directory |
12 | 7 | ms.subservice: devices |
13 | | -ms.workload: identity |
14 | | -ms.tgt_pltfrm: na |
15 | | -ms.devlang: na |
16 | 8 | ms.topic: article |
17 | | -ms.date: 07/31/2018 |
| 9 | + |
| 10 | +ms.date: 05/30/2019 |
18 | 11 | ms.author: joflore |
| 12 | +author: MicrosoftGuyJFlo |
| 13 | +manager: daveba |
19 | 14 | ms.reviewer: sandeo |
20 | 15 |
|
21 | 16 | ms.collection: M365-identity-device-management |
22 | 17 | --- |
23 | | -# Control the hybrid Azure AD join of your devices |
24 | | - |
25 | | -Hybrid Azure Active Directory (Azure AD) join is a process to automatically register your on-premises domain-joined devices with Azure AD. There are cases where you don't want all your devices to be registered automatically. This is true, for example, during the initial rollout to verify that everything works as expected. |
26 | | - |
27 | | -This article provides guidance on how you can control hybrid Azure AD join of your devices. |
| 18 | +# Controlled validation of hybrid Azure AD join |
28 | 19 |
|
| 20 | +When all of the pre-requisites are in place, Windows devices will automatically register as devices in your Azure AD tenant. The state of these device identities in Azure AD is referred as hybrid Azure AD join. More information about the concepts covered in this article can be found in the articles [Introduction to device management in Azure Active Directory](overview.md) and [Plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md). |
29 | 21 |
|
30 | | -## Prerequisites |
| 22 | +Organizations may want to do a controlled validation of hybrid Azure AD join before enabling it across their entire organization all at once. This article will explain how to accomplish a controlled validation of hybrid Azure AD join. |
31 | 23 |
|
32 | | -This article assumes that you're familiar with: |
33 | | - |
34 | | -- [Introduction to device management in Azure Active Directory](../device-management-introduction.md) |
35 | | - |
36 | | -- [Plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md) |
37 | | - |
38 | | -- [Configure hybrid Azure Active Directory join for managed domains](hybrid-azuread-join-managed-domains.md) or [Configure hybrid Azure Active Directory join for federated domains](hybrid-azuread-join-federated-domains.md) |
39 | | - |
40 | | - |
41 | | - |
42 | | -## Control Windows current devices |
| 24 | +## Controlled validation of hybrid Azure AD join on Windows current devices |
43 | 25 |
|
44 | 26 | For devices running the Windows desktop operating system, the supported version is the Windows 10 Anniversary Update (version 1607) or later. As a best practice, upgrade to the latest version of Windows 10. |
45 | 27 |
|
46 | | -All Windows current devices automatically register with Azure AD at device start or user sign-in. You can control this behavior by using either a Group Policy Object (GPO) or System Center Configuration Manager. |
47 | | - |
48 | | -To control Windows current devices, you need to: |
49 | | - |
50 | | - |
51 | | -1. **To all devices**: Disable automatic device registration. |
52 | | -2. **To selected devices**: Enable automatic device registration. |
53 | | - |
54 | | -After you verify that everything works as expected, you're ready to enable automatic device registration for all devices again. |
| 28 | +To do a controlled validation of hybrid Azure AD join on Windows current devices, you need to: |
55 | 29 |
|
| 30 | +1. Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists |
| 31 | +1. Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO) |
| 32 | +1. If you are using AD FS, you must also: |
| 33 | + 1. Configure the client-side registry setting for SCP on you’re an AD FS server using a GPO |
| 34 | + 1. Uncheck “Automatically remove unused devices” under Services > Device Registration > Properties |
56 | 35 |
|
| 36 | +> [!NOTE] |
| 37 | +> Ensure default configuration remains unchanged for “Register domain-joined computers as devices” GPO set to “Not Configured” and “Automatically register new Windows 10 domain joined devices with Azure Active Directory” set to “Yes” when using Configuration Manager. |
57 | 38 |
|
58 | | -### Group Policy Object |
| 39 | +After you verify that everything works as expected, you can automatically register the rest of your Windows current devices with Azure AD by [configuring SCP using Azure AD Connect](hybrid-azuread-join-managed-domains.md#configure-hybrid-azure-ad-join). |
59 | 40 |
|
60 | | -You can control the device registration behavior of your devices by deploying the following GPO: **Register domain-joined computers as devices**. |
| 41 | +### Clear the SCP from AD |
61 | 42 |
|
62 | | -To set the GPO: |
| 43 | +Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SCP objects in AD. |
63 | 44 |
|
64 | | -1. Open **Server Manager**, and then go to **Tools** > **Group Policy Management**. |
| 45 | +1. Launch the **ADSI Edit** desktop application from and administrative workstation or a domain controller as an Enterprise Administrator. |
| 46 | +1. Connect to the **Configuration Naming Context** of your domain. |
| 47 | +1. Browse to **CN=Configuration,DC=contoso,DC=com** > **CN=Services** > **CN=Device Registration Configuration** |
| 48 | +1. Right click on the leaf object under **CN=Device Registration Configuration** and select **Properties** |
| 49 | + 1. Select **keywords** from the **Attribute Editor** window and click **Edit** |
| 50 | + 1. Select the values of **azureADId** and **azureADName** (one at a time) and click **Remove** |
| 51 | +1. Close **ADSI Edit** |
65 | 52 |
|
66 | | -2. Go to the domain node that corresponds to the domain where you want to disable or enable the auto-registration. |
| 53 | +> [!NOTE] |
| 54 | +> If a SCP is not configured in AD, then you should follow the same approach as described to [Configure client-side registry setting for SCP](#configure-client-side-registry-setting-for-scp)) on your domain-joined computers using a Group Policy Object (GPO). |
67 | 55 |
|
68 | | -3. Right-click **Group Policy Objects**, and then select **New**. |
| 56 | +### Configure client-side registry setting for SCP |
69 | 57 |
|
70 | | -4. Enter a name (for example, **Hybrid Azure AD join**) for your Group Policy Object. |
| 58 | +Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring an SCP entry in the registry of your devices. |
71 | 59 |
|
72 | | -5. Select **OK**. |
| 60 | +1. Open a Group Policy Management console and create a new Group Policy Object in your domain. |
| 61 | + 1. Provide your newly created GPO a name (for example, ClientSideSCP). |
| 62 | +1. Edit the GPO and locate the following path: **Computer Configuration** > **Preferences** > **Windows Settings** > **Registry** |
| 63 | +1. Right-click on the Registry and select **New** > **Registry Item** |
| 64 | + 1. On the **General** tab, configure the following |
| 65 | + 1. Action: **Update** |
| 66 | + 1. Hive: **HKEY_LOCAL_MACHINE** |
| 67 | + 1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD** |
| 68 | + 1. Value name: **TenantId** |
| 69 | + 1. Value type: **REG_SZ** |
| 70 | + 1. Value data: The GUID or **Directory ID** of your Azure AD instance (This value can be found in the **Azure portal** > **Azure Active Directory** > **Properties** > **Directory ID**) |
| 71 | + 1. Click **OK** |
| 72 | +1. Right-click on the Registry and select **New** > **Registry Item** |
| 73 | + 1. On the **General** tab, configure the following |
| 74 | + 1. Action: **Update** |
| 75 | + 1. Hive: **HKEY_LOCAL_MACHINE** |
| 76 | + 1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD** |
| 77 | + 1. Value name: **TenantName** |
| 78 | + 1. Value type: **REG_SZ** |
| 79 | + 1. Value data: Your verified **domain name** in Azure AD (for example, `contoso.onmicrosoft.com` or any other verified domain name in your directory) |
| 80 | + 1. Click **OK** |
| 81 | +1. Close the editor for the newly created GPO |
| 82 | +1. Link the newly created GPO to the desired OU containing domain-joined computers that belong to your controlled rollout population |
73 | 83 |
|
74 | | -6. Right-click your new GPO, and then select **Edit**. |
| 84 | +### Configure AD FS settings |
75 | 85 |
|
76 | | -7. Go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Device Registration**. |
| 86 | +If you are using AD FS, you first need to configure client-side SCP using the instructions mentioned above but linking the GPO to your AD FS servers. This configuration is needed for AD FS to establish the source for device identities as Azure AD. |
77 | 87 |
|
78 | | -8. Right-click **Register domain-joined computers as devices**, and then select **Edit**. |
| 88 | +## Controlled validation of hybrid Azure AD join on Windows down-level devices |
79 | 89 |
|
80 | | - > [!NOTE] |
81 | | - > This Group Policy template has been renamed from earlier versions of the Group Policy Management console. If you're using an earlier version of the console, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Device Registration** > **Register domain joined computer as device**. |
| 90 | +To register Windows down-level devices, organizations must install [Microsoft Workplace Join for non-Windows 10 computers](https://www.microsoft.com/download/details.aspx?id=53554) available on the Microsoft Download Center. |
82 | 91 |
|
83 | | -9. Select one of the following settings, and then select **Apply**: |
| 92 | +You can deploy the package by using a software distribution system like [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager). The package supports the standard silent installation options with the quiet parameter. The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations. |
84 | 93 |
|
85 | | - - **Disabled**: To prevent automatic device registration. |
86 | | - - **Enabled**: To enable automatic device registration. |
| 94 | +The installer creates a scheduled task on the system that runs in the user context. The task is triggered when the user signs in to Windows. The task silently joins the device with Azure AD with the user credentials after authenticating with Azure AD. |
87 | 95 |
|
88 | | -10. Select **OK**. |
| 96 | +To control the device registration, you should deploy the Windows Installer package to your selected group of Windows down-level devices. |
89 | 97 |
|
90 | | -You need to link the GPO to a location of your choice. For example, to set this policy for all domain-joined current devices in your organization, link the GPO to the domain. To do a controlled deployment, set this policy to domain-joined Windows current devices that belong to an organizational unit or a security group. |
91 | | - |
92 | | -### Configuration Manager controlled deployment |
93 | | - |
94 | | -You can control the device registration behavior of your current devices by configuring the following client setting: **Automatically register new Windows 10 domain joined devices with Azure Active Directory**. |
95 | | - |
96 | | -To configure the client setting: |
97 | | - |
98 | | -1. Open **Configuration Manager**, select **Administration**, and then go to **Client Settings**. |
99 | | - |
100 | | -2. Open the properties for **Default Client Settings** and select **Cloud Services**. |
101 | | - |
102 | | -3. Under **Device Settings**, select one of the following settings for **Automatically register new Windows 10 domain joined devices with Azure Active Directory**: |
103 | | - |
104 | | - - **No**: To prevent automatic device registration. |
105 | | - - **Yes**: To enable automatic device registration. |
106 | | - |
107 | | -4. Select **OK**. |
108 | | - |
109 | | -You need to link this client setting to a location of your choice. For example, to configure this client setting for all Windows current devices in your organization, link the client setting to the domain. To do a controlled deployment, you can configure the client setting to domain-joined Windows current devices that belong to an organizational unit or a security group. |
110 | | - |
111 | | -> [!Important] |
112 | | -> Although the preceding configuration takes care of existing domain-joined Windows 10 devices, devices that are newly joining the domain might still try to complete the hybrid Azure AD join because of the potential delay in the application of Group Policy or Configuration Manager settings on the devices. |
113 | | -> |
114 | | -> To avoid this, we recommend that you create a new Sysprep image (used as an example for a provisioning method). Create it from a device that was never previously hybrid Azure AD joined and that already has the Group Policy setting or Configuration Manager client setting applied. You must also use the new image for provisioning new computers that join your organization's domain. |
115 | | -
|
116 | | -## Control Windows down-level devices |
117 | | - |
118 | | -To register Windows down-level devices, you need to download and install the Windows Installer package (.msi) from Download Center on the [Microsoft Workplace Join for non-Windows 10 computers](https://www.microsoft.com/download/details.aspx?id=53554) page. |
119 | | - |
120 | | -You can deploy the package by using a software distribution system like [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager). The package supports the standard silent installation options with the quiet parameter. The current branch of Configuration Manager offers benefits over earlier versions, like the ability to track completed registrations. |
121 | | - |
122 | | -The installer creates a scheduled task on the system that runs in the user’s context. The task is triggered when the user signs in to Windows. The task silently joins the device with Azure AD with the user credentials after authenticating with Azure AD. |
123 | | - |
124 | | -To control the device registration, you should deploy the Windows Installer package only to a selected group of Windows down-level devices. If you have verified that everything works as expected, you're ready to roll out the package to all down-level devices. |
| 98 | +> [!NOTE] |
| 99 | +> If SCP is not configured in AD, then you should follow the same approach as described above to configure the client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO). |
125 | 100 |
|
| 101 | +After you verify that everything works as expected, you can automatically register the rest of your Windows down-level devices with Azure AD by deploying the package to all down-level devices and [configuring SCP using Azure AD Connect](hybrid-azuread-join-managed-domains.md#configure-hybrid-azure-ad-join). |
126 | 102 |
|
127 | 103 | ## Next steps |
128 | 104 |
|
129 | | -* [Introduction to device management in Azure Active Directory](../device-management-introduction.md) |
130 | | - |
131 | | - |
132 | | - |
| 105 | +[Plan your hybrid Azure Active Directory join implementation](hybrid-azuread-join-plan.md) |
0 commit comments