Deployment
Microsoft provides two methods for enabling HADDJ across your organization:
- Using the Azure AD Connect application which creates a Service Connection Point (SCP) in AD, informing devices to register with Azure AD.
- Deploying a GPO which manually creates the required registry entries to have the device register with Azure AD.
If testing the deployment process, I recommend using the GPO method. This allows you to easily selective choose which device gets enrolled. Once testing has been completed you can then decide if you’ll continue with the GPO method or configure Azure AD Connect to mass enroll all of your organizations devices.
Note that the Azure AD Connect method does not provide any GUI based method of disabling the Hybrid AD Join option once configured. If you wish to disable the option, you have to manually remove the SCP it creates (Instructions).
Deploying HAADJ
Please select which deployment method you prefer. Once deployed, devices will start automatically registering with Azure AD. This process may take a few minutes to a few hours.
Configuring via GPO
- Create a GPO and link it to the OU containing the devices (computer objects) you wish to have registered with Azure AD.
- Open the GPO and browse to
Computer >> Preferences >> Windows Settings >> Registry. - Create a Registry Entry with the following values. Enter your Tenant ID where indicated.
| Property | Value |
|---|---|
| Action | Update |
| Hive | HKEY_LOCAL_MACHINE |
| Key Path | SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD |
| Value Name | TenantId |
| Value Type | REG_SZ |
| Value Data | TENANT ID |
Create a second Registry Entry within the same GPO. Enter your Tenant Name where indicated.
| Property | Value |
|---|---|
| Action | Update |
| Hive | HKEY_LOCAL_MACHINE |
| Key Path | SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD |
| Value Name | TenantName |
| Value Type | REG_SZ |
| Value Data | TENANT NAME |
- Run
gpupdateon the affected devices or wait until group policy processing is performed automatically (approx. every 90 minutes).
Configuring via Azure AD Connect
To configure your devices to register with Azure AD via the Azure AD Connect application, please see Microsoft’s Docs.