Entra-Id-Connect-(Aad-Connect) on Ru Campbell MVP

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

Mon, 19 Apr 2021 20:02:44 +0000

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you’re banging your head off the table, and laugh off the embarrassment of not checking the fundamentals.

I was recently setting up hybrid Azure AD join and Intune enrollment, as I’ve done hundreds of times before, but this time I was hitting a strange problem. Hybrid Azure AD join went fine, but for the Intune MDM enrollment, I was getting nowhere. Devices showed in the Azure AD admin centre, but never showed an MDM, and therefore never showed in Endpoint Manager.

Understanding Modern vs. Legacy Authentication in Microsoft 365

Sun, 24 Jan 2021 13:46:35 +0000

Since October 2019, Microsoft has enabled Security Defaults by default in new Microsoft 365 tenants. Security Defaults are a group of best-practice security settings, and one of note is the disablement of all legacy authentication, which itself has been off in Exchange Online and SharePoint Online, by default, since August 2017.

The term legacy authentication doesn’t refer to one particular protocol, but rather any that do not support Multi-Factor Authentication (MFA). Protocols that support MFA are described as modern authentication. In the context of Microsoft 365 and Azure Active Directory, which handles Microsoft 365’s authentication, these are protocols such as ADAL and OAuth.

Hybrid Azure AD Join + Intune Enrollment - Prerequisites Checklist and Process Flow

Mon, 25 May 2020 17:22:04 +0000

I’m a simple person, and sometimes it just helps to have a checklist to refer to when you’re troubleshooting rather than navigating the sparse pages of docs.microsoft.com. In this blog, I explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!) There are no screenshots and it’s not a click-by-click: this is a quick reference for when you’re pulling your hair out wondering what could be stopping you.

Register Domain-Joined Computers as Devices - The Redundant and Broken Hybrid Azure AD Join GPO

Tue, 19 May 2020 19:11:46 +0000

The group policy object Register domain-joined computers as devices, or Automatically workplace join client computers in older templates, was previously a requirement for enabling Hybrid Azure AD Join. After configuring Azure AD Connect and your Seamless SSO GPOs, this had to be enabled.

Since Windows 10 1607 (“Anniversary Update”), in Azure AD Connect environments, on-premises Active Directory joined computers become Azure Active Directory registered when a synchronised user signs in to a synchronised computer; regardless of the GPO existing. Prior to this, on Windows 10 1511 (“November Update”) and before, only if this GPO, or other configuration to create this registry value, was used.