Exploring Hybrid Azure AD Join with a Provisioning Package

In testing a provisioning package deployment, I found out that you can apply the PPKG to a domain-joined device so that it effectively becomes Hybrid Azure AD Joined. Although I’m not exactly sure if the process is actually useful, it is certainly interesting, so I thought I’d write out this blog post. I’d also consider this not really supportable since provisioning packages for Azure Active Directory Joining are meant to be used during OOBE, not a domain joined device.

Let’s start by looking at the device itself, and running dsregcmd /status to verify that it is Domain Joined:

dsregcmd /status

If we scroll further down, you can see that it fails the AD Connectivity Test, so it’s not completing the Hybrid Join process:

dsregcmd /status checking AD Connectivity

And in Azure AD we can verify that it is pending a Hybrid Join, but hasn’t completed it:

AAD Portal showing Pending Hybrid Join

Great! So let’s create a provisioning package, using Windows Configuration Designer (which you can download from the Microsoft Store app):

Windows Configuration Designer app

Once that’s downloaded, we’ll create a new project:

The most important step will be going to Account Management, selecting Enroll in Azure AD, and getting a Bulk Token:

Bulk Token

Once you have a bulk token, select Finish and then click Switch to advanced editor in the bottom left. We need to switch to the advanced editor to remove any extra settings other than the bulk token.

Select Switch to advanced editor

Here I’ll delete the DNSComputerName:

And then the HideOobe setting:

Once we only see Authority and BPRT under Azure, we’re ready to export the package:

Export package

Then we just need to copy the RunTime Provisioning Package (.ppkg) file in the exported directory to our device:

Exported directory for PPKGs

Once the PPKG is on the device, double click it to kick off the process:

Apply PPKG

Unfortunately PPKGs don’t really report any progress, but you can check under Settings > Accounts > Access work or school > Add or remove a provisioning package to see if it applied:

PPKG status

And we should also now see under Access work or school the ability to check Info and sync with Intune:

Access work or school pane
Sync with Intune

So what happens if we run dsregcmd /status again?

dsregcmd /status

Exactly as we’d expect – it’s reporting as Hybrid Azure AD Joined! And we know that because according to the Docs, showing both AzureAdJoined and DomainJoined qualifies the device to be Hybrid Azure AD Joined:

Docs page for Hybrid Azure AD Join troubleshooting

But… if we check Azure AD, we see that the Hybrid Azure AD Join record is actually still pending – and there’s now a new record for the Azure AD Joined device:

Azure AD Joined device

If we look at the device in Intune it does show up, but with no primary users since we used the provisioning package:

Hybrid Azure AD Joined device in Intune post PPKG

So what gives? Michael Niehaus has written about Hybrid Azure AD Join a ton – and he describes the process more as Azure AD registering a Domain-joined device, rather than Azure AD joining it (great blog post here). Once of the key points he makes is that you can’t log in to a Hybrid AADJ device with your Azure AD credentials – because it needs to check in to the Domain Controller, because the device is really just domain joined.

If we try to log in with the Azure AD creds of a test user…

…we see that we can’t, because we don’t have line of sight to the domain controller (that’s why it was failing the AD Connectivity check earlier).

So it at least acts like it’s Hybrid Joined, but if Azure Active Directory isn’t reporting it as such, what is it really? Because we forced the client to finish the Hybrid Join via PPKG (instead of AAD Connect syncing it up), does Azure AD refuse to recognize it as Hybrid joined?

I don’t have the answers to those questions yet, so please comment your thoughts below! Until then, happy exploring! 🕵️‍♂️

You may also like...

2 Responses

  1. Lallanna says:

    Hi, did you ever got an answer to this? I am dealing with situation how to bulk enroll kiosk devices that are joined to local AD and basically I have two options. Use Enroll into MDM only option in settings and login with DEM account (but that actually creates yet another object in AAD and its not fully managable, IME does not install) or do this HAAD join with DEM account that will enroll device into Intune and shows up in AAD as AD joined… Either option does not seems to be good one..

    • Janusz says:

      Never really found an answer – the device stayed as AADJ in the portal and never updated the pending hybrid record. Unfortunately I think the best route forward for your kiosk devices is planning a migration to AADJ+MDM only. Otherwise the DEM+HAADJ puts you in an unsupported state, at least according to this Docs article.

Leave a Reply

Your email address will not be published. Required fields are marked *