Hybrid AD join verification

After a successful autopilot enrollment with Hybrid Azure AD join, verify the following:

You can ensure if an enrolled Windows endpoint is Hybrid Azure AD joined by verifying the following:
Active Directory
Log in to the Active Directory as an Admin user, navigate to Active Directory Users and Computers > Autopilot Domain Join and verify if the enrolled computer name is listed under the specified organization unit.

Azure AD
Log in to Azure AD as an Admin user and verify if the Join Type of the device is "Hybrid Azure AD joined".

Note:
  • The domain joined device is synchronized to Azure AD portal only after successful login using on-premises domain credentials.
  • Azure AD connect synchronizes the on-premises object with Azure AD in every 30 minutes.
  • Therefore, wait for a maximum of 30 minutes for the device to get listed in the Azure AD portal.
Windows endpoint
  • Ensure if dual account is provisioned at the endpoint.
    Graphical user interface, text, application, Teams Description automatically generated
    Note: If Azure Primary refresh token is not successfully updated, SSO connect is not established, and so, the Azure AD account does not get provisioned. As a workaround, device user can manually sign-in with Azure AD credentials to provision the account by clicking the MDM Sync option under the domain account. This action must be performed only after the device is listed as ‘Hybrid Azure AD joined’ under Azure AD portal.
  • Ensure if the On-premises MDM synchronization is successful.
    Text Description automatically generated
  • Ensure the device registration status reflects "YES" for both AzureAdJoined and DomainJoined.

  • Under the SSO state section, Device registration status must reflect AzureAdPrt as ‘YES’ .
    Text Description automatically generated

For further reference to verify if a Windows endpoint is dual joined, see https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-join-verify.