Windows/Azure: Setting up a Service Connection Point (SCP) to link to On-Premise Active Directory in Hybrid Mode to Azure for use with Intune

Created: 10-21-21

Updated: 10-21-21

 

This task honestly took me months and months to stubble upon by accident. Lots of the reading material about Intune teach you about how to setup Compliance policies, device configuration policies, how to setup GPO-like policies, tieing in Compliance policies into Condtional Access policies, and enrollment via Azure AD MDM/MAM, but what is harder to find is how to setup On-Premise AD Hybrid mode for those that are connected to Azure in a Hybrid setup.

I know Azure and O365 are great, and yes, you can run everything from Azure AD, but I’d reckon that more than 50% of companies run hybrid AD setups (hybrid being a Windows Server Domain Controller with Azure AD Connect sync’ing with Azure AD), but what allot of people don’t do is setup the Hybrid AD option. What people typically do is use on-premise AD as the change maker and then replicate the changes to Azure AD and never setup the Hybrid portion that allows Windows 10 desktops to automatically joined Azure AD (which is then in turn is injected into Intune to allow for the Windows 10 devices to be managed by Intune), something I plan to explain in this article.

A few things I’m assuming:

  1. You have an on-premise Active Directory domain and domain controllers
  2. You have an active Azure tenant
  3. You have a pre-existing Azure AD Connect linking your on-premise AD to Azure AD with Device Writeback enabled (Note: you need a Windows Server 2012 R2 or higher domain for this to be supported)
  4. You have a pre-existing user account that is an Enterprise Administrator for use with the SCP Configuration

With tihs being said, lets get started!

  1. Confirm for have a MDM authority of Intune selected, you do this by following these steps:
    1. Click on the Endpoint Manager in your O365 Admin portal
    2. Navigate to Devices
    3. Click on Devices | Overview
    4. Glance to the right, and look to make sure your MDM authority is Intune
    5. If your MDM authority is None, then click on MDM Authority and select Intune
    6. Lets these setting propogate and then move on to the next step!
  2. Open up your pre-existing Azure AD Connect
    1. Click on “Configure”
    2. Click on “Configure device options”
    3. Connect to your Azure AD via your Azure AD Connection sync account
    4. Make sure you select the bubble for “Configure Hybrid AD Join”
    5. Select the checkbox for “Windows 10 or later domain-joined devices”, you can select the other one, but if your still running an O/S before Windows 10, you kind sir are playing with security hell.
    6. On SCP Configuration select your domain’s .local suffix by click the checkbox, for authentication service select the drop down for Azure Active Directory and pressing the green Add buton on the right, this will prompt you for an On-Premise AD account with Enterprise Administrator permissions.
    7. Press Next and Configure; this will create SCP in active directory
  3. Create a Group Policy Object in your On-Premise Domain Controller in Group Policy Management for Hybrid Azure AD Join
    1. Open up Group Policy Management
    2. Right click on the root of your local forest and click “Create a GPO in this cdomain, and link it here”
    3. Name it “Azure AD Hybrid Join”, then press OK
    4. Right lick on the GPO and press Edit
    5. Expand Computer Configuration > Policies >Administrative Templates > Windows Components > Device Registration > Click on “Register domain joined computer as devices” and press edit
    6. Select “Enabled” and then press apply and ok.
    7. Scroll down to the MDM folder and click on “Enable automatic MDM enrollement using default Azure AD Credentials” and then press Edit
    8. Select “Enabled” and use the Credential Type of “User Credential” then press apply and ok
    9. Close Group Policy Editor
    10. Now wait about 90 minutes for the GPO to propogate; Pro Tip: if you create this GPO in a OU linked to desktop you could force the GPO Update from within GPOM, but you can’t do this from the root of the forest; I know its lame!
    11. Note: if you don’t see the above GPO options in your GPOM, you’ll need to grab the latest Windows 10 admx template, here is one from May 2021: here
      1. Install the .MSI of the admx templates on your domain controller
      2. You’ll find the .admx and .adml in this location: “C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)\PolicyDefinitions)”
      3. Copy MDM .admx file and your language like from en-us and paste them into the %system%\sysvol\domain.com\Policies\PolicyDefinitions folder on one of your domain controller(s).
      4. Open up a command prompt and type “repadmin /syncall” to force the replication of the sysvol folder to all other domain controllers quickly instead of waiting for it happen on its own.
      5. This folder may not exist, so you can just create the folder exactly how its show above.
      6. Assuming you did Step 3, and if not, do it, then find the MDM.adml file from the language folder and replace that file in the %system%\sysvol\domain.com\Policies\PolicyDefinitions folder.
      7. Close and re-open your GPOM and these setting should appear
    12. After waiting for a “good Azure evening” for this to replicate and sync you can check your Windows 10 devices to ensure they are indeed now Azure AD Joined:
      1. On one of your Windows 10 desktops open up command prompt
      2. Type “dsregcmd /status”
      3. Look for the detail labeled “AzureADJoined” under Device State, it should appear as “YES”, if not, you haven’t waited long enough. If it doesn’t appear after a solid day, check to make sure you did every step above verbose!
    13. Assuming it says “YES” in Step 12 above, if you navigate to your Azure tenant and clicked on Azure AD and then click on Devices, your expected Windows 10 devices should appear! 😀

This is all that is needed to make your Windows 10 device become Azure AD Joined, even if they are joined to on-premise Active Directory. This is a needed step if you want to manage on-premise AD joined desktops in Intune. I hope this article helps people, as it took me a long time to find how to do this and in the end after learning about Intune, it was something I only learned towards the end. Once I did, however, everything fell into place. After that Intune worked as expected and explained via multiple learning sources like msdocs.

My hope is this helps people cut thru the red tape and streamline there use of Intune in Office 365.

Cheers! 😀