Automatic hybrid Azure AD join for Windows 10 devices





Azure Active Directory (Azure AD) provides device management when Windows devices are registered with Azure AD. Azure AD can make sure devices meet organizations standards for security and compliance. Devices joined to a local on-premise Active Directory domain can join to Azure AD by configuring hybrid Azure AD joined devices. In this cool solution, you will learn how to configure hybrid Azure AD join for Windows devices to automatically register to Azure AD.


Why is this useful?


This solution will help to get on-premise devices to automatically register with Azure Active Directory. This will provide conditional access by checking the eligibility of the devices to access enterprise resources.




Prepare Azure AD for Automatic device Registration.

    1. Follow the Microsoft documentation below to create a service connection point.
      -Tutorial: Configure hybrid Azure Active Directory joined devices manually
      -Custom installation of Azure AD Connect ( at User Sign-in screen, select checkbox “Enable single sign-on”)


    1. DNS configuration (finish for Enterpriseregistration CNAME) Create DNS records for Office 365 using Windows-based DNS


  1. To manage devices using the Azure portal and enable the option “Users may register their devices with Azure AD” to “All” follow the Microsoft documentation.
    How to manage devices using the Azure portal

NAM Configuration steps:

    1. Follow Kerberos contract creation NetIQ Access Manager document.
      Sample configuration for Kerberos class:

      Kerberos class


    1. Create additional SPN as shown below.

      SPN AD


    1. Create a Kerberos contract and make sure Kerberos working fine.


    1. Extract engineering patch zip file(, contents are: nidp-wstrust-iwa.jar, mex2.jsp


    1. Copy nidp-wstrust-iwa.jar to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib.


    1. Edit mex2.jsp find host/ to your domain like host/


    1. Copy mex2.jsp to /opt/novell/nam/idp/webapps/nidp/jsp.


    1. Modify web.xml at location /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml.

        1. Add mex2.jsp to allowd list of jsp:

          <display-name>NIDP Jsp Filter</display-name>
          <description>The NIDP server JSP filter. Enforces authentication and
          handles clustering.</description>

        1. 7.2 Add servlet mapping to mex2.jsp as mex endpoint

      1. Comment out existing mapping for mex

    2. Restart IDP


    1. Test new mex endpoint as https://<<IDP>>/wstrust/sts/mex mex output should be an output of url.


    1. Login to NAM admin console and add these global parameters.

      DEVICE_DOMAIN_JOIN_CONTRACT_ID = Kerberos contract ID

      Kerberos Contract

      DEVICE_DOMAIN_JOIN_SEARCH_USER_STORE = AD where devices register and CN=computers,DC=<<domain>>,DC=<<domain>>

      example cn=computers,DC=cloudtest,DC=info for domain.


      Screenshot of parameters configured:

      Config Params


  1. Update configuration

    Note: if there are multiple IDP in a cluster do repeat above steps 4-9.



Control the hybrid Azure AD join of your devices.


Create group policy what device can join to Azure AD automatically. Follow the Microsoft documentation

When all above steps are completed, domain-joined devices will automatically register with Azure Active Directory (AD). When the device restarts this automatic registration to Azure AD will be completed.

Screenshot of device registration command output: “dsregcmd /debug”.

dsregcmd debug

dsregcmd debug output

Screenshot of the Azure console for registered devices:

Azure portal

Login to Microsoft Azure Portal and Navigate to Azure Active Directory and Devices.

Using PowerShell commands to query devices

    1. Open Microsoft Azure Active Directory Module for Windows PowerShell


    1. Connect to your Azure Active Directory tenant using command “Connect-MsolService”


    1. Enter Azure AD administrator credentials


    1. Execute the following command

“Get-MsolDevice -All”

Powershell devices list


Additional Information


The following additional options are available with dsregcmd command:
“dsregcmd /status” -> Shows device registration status
“dsregcmd / leave” -> deregisters device


SSO to Microsoft Azure Applications


  1. When device automatically registered to Azure AD, the following things happen.

      1. The device sends Kerberos token to NAM via WS-Trust protocol

      1. The device generates a certificate signing certificate (CSR) to Azure DRS and gets signed a certificate for that device

      1. The device generates the second certificate to use with the Primary Refresh Token (PRT) using user credentials

    1. The PRT is used for SSO for users when they access Azure AD applications.




Please share your comments!!

Download the document file here.


How To-Best Practice
Support Tip
Comment List