How to hybrid join a device

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: Hybrid Azure AD Join is a method to connect your on-premises devices to Azure Active Directory without requiring them to be physically present in the cloud. This allows devices to be managed by both on-premises Active Directory and Azure AD, offering benefits like single sign-on to cloud resources and enhanced security management.

Key Facts

Hybrid Azure AD Join allows devices to be managed by both on-premises Active Directory and Azure AD.
It enables single sign-on (SSO) to cloud applications and resources.
Requires a hybrid identity infrastructure, typically involving Azure AD Connect.
Devices must be domain-joined to an on-premises Active Directory.
Supports Windows 10, Windows 11, and Windows Server 2016 or later.

What is Hybrid Azure AD Join?

Hybrid Azure AD Join is a cloud identity management strategy that connects your existing on-premises Active Directory (AD) joined devices to Azure Active Directory (Azure AD). This means your devices can be managed and secured by both your local IT infrastructure and Microsoft's cloud identity service. Unlike Azure AD Join (where devices are joined directly to Azure AD), Hybrid Azure AD Join maintains the device's relationship with your on-premises domain while also registering it with Azure AD. This approach is particularly valuable for organizations that are in the process of migrating to the cloud or need to maintain a hybrid identity environment.

Why Use Hybrid Azure AD Join?

The primary benefits of implementing Hybrid Azure AD Join revolve around enhanced security, streamlined user experience, and flexible management. By joining devices to Azure AD in a hybrid model, you can:

Enable Single Sign-On (SSO): Users can sign in once with their on-premises credentials and gain seamless access to both on-premises and cloud-based applications and resources, such as Microsoft 365.
Improve Security Posture: Leverage Azure AD security features like Conditional Access policies, Multi-Factor Authentication (MFA), and Identity Protection for devices that are still managed on-premises.
Facilitate Cloud Migration: It provides a stepping stone for organizations moving towards a cloud-first strategy, allowing them to gradually integrate cloud management without immediately disconnecting from their on-premises infrastructure.
Consistent Device Management: Administrators can manage devices using both Group Policy Objects (GPOs) and cloud-based Mobile Device Management (MDM) solutions like Microsoft Intune, offering a comprehensive management framework.
Support for Existing Infrastructure: Organizations with significant investments in on-premises AD infrastructure can adopt cloud services without a complete overhaul of their existing systems.

Prerequisites for Hybrid Azure AD Join

Before you can implement Hybrid Azure AD Join, several prerequisites must be met to ensure a smooth and successful deployment. These include:

Azure AD Tenant: You need an active Azure AD tenant.
Azure AD Connect: This tool synchronizes your on-premises AD objects (users, groups, devices) with Azure AD. It's crucial for establishing the hybrid identity. Ensure you are running a supported version and have configured device writeback if necessary for certain scenarios.
Supported Operating System: The devices you intend to hybrid join must be running a compatible version of Windows. This includes Windows 10 (version 1607 or later), Windows 11, or Windows Server 2016 or later.
Domain-Joined Devices: The devices must already be joined to your on-premises Active Directory domain.
Network Connectivity: Devices need to be able to connect to your on-premises domain controllers and specific Azure AD endpoints over the internet. This typically involves ensuring that firewalls are configured to allow access to required URLs and IP addresses.
Service Connection Point (SCP): For Windows 10 and later devices, a Service Connection Point (SCP) object must be configured in Active Directory. This SCP tells the devices where to find their Azure AD tenant information.

How to Configure Hybrid Azure AD Join

The configuration process involves several steps, primarily managed through Azure AD Connect and potentially Group Policy or device configuration profiles.

Configure Azure AD Connect: Install and configure Azure AD Connect on a server within your on-premises environment. During the configuration wizard, select the 'Hybrid Azure AD Join' option. You will need to specify the OU (Organizational Unit) containing the devices you want to hybrid join.
Select Device Registration Options: Within Azure AD Connect, choose the operating systems you want to enable for hybrid join. For Windows 10 and later, you'll typically select 'Azure AD registered devices'. For older Windows versions, you might use the device registration service (DRS) via Group Policy.
Configure Service Connection Point (SCP): If you're using Windows 10/11, Azure AD Connect can often create the SCP automatically. If not, you may need to manually create an SCP object in Active Directory pointing to your Azure AD tenant. This SCP is located under 'Services' in 'Configuration' within AD.
Configure Group Policy (for older Windows versions or specific control): For older Windows versions or if you need more granular control, you can use Group Policy to configure the device registration settings. This involves setting registry keys that point to the Azure AD DRS.
Device Registration: Once configured, devices will automatically register with Azure AD when they are powered on and connected to the network, provided they meet the prerequisites. You can monitor the registration status in Azure AD.

Verifying Hybrid Azure AD Join

After the configuration is complete, it's essential to verify that your devices have successfully joined your Azure AD tenant in a hybrid manner.

Check Device Status in Azure AD: Log in to the Azure portal, navigate to Azure Active Directory, and go to 'Devices'. You should see your devices listed with 'Hybrid Azure AD joined' as their join type.
Check Device Status Locally: On a hybrid-joined Windows device, open Command Prompt and run the command dsregcmd /status. Look for the 'AzureAdJoined' field, which should show 'YES', and the 'DomainJoined' field, which should also show 'YES'. The 'AzureAdName' should reflect your Azure AD tenant name.
Test SSO: Have a user sign in to the device with their on-premises credentials and attempt to access a cloud application (e.g., portal.office.com). If they are automatically signed in without being prompted for credentials, SSO is working.

Troubleshooting Common Issues

While the process is designed to be automated, issues can arise. Common troubleshooting steps include:

Azure AD Connect Sync Errors: Ensure Azure AD Connect is running and synchronizing successfully. Check the synchronization service logs for any errors related to device objects.
SCP Configuration: Verify that the SCP is correctly configured in Active Directory and points to the right Azure AD tenant.
Network Connectivity: Confirm that devices can reach the necessary Azure AD endpoints. Use network diagnostic tools to check for blocked ports or URLs.
Device Registration Service (DRS) Issues: If using Group Policy, ensure the relevant registry keys are applied correctly and that the DRS service is accessible.
Firewall and Proxy Settings: Ensure that any firewalls or proxy servers are not blocking communication with Azure AD services.

By following these steps and understanding the prerequisites, organizations can effectively implement Hybrid Azure AD Join to enhance their device management and security capabilities in a hybrid cloud environment.