This method is suitable for hybrid organizations with existing on-premises AD infrastructure. This is also a requirement for other solutions like Co-Management, Passwordless sign-in etc.

Start the AD Connect Configuration Wizard. Select Configure device options.

Select Configure Hybrid Azure AD join.

Choose Windows 10 or later if you only have that. All Windows down-level require an extra client installed. My recommendation is to upgrade to Windows 10 on all possible devices.

This configuration support multi-forest mode. Just select the domain that you will configure and Add with domain admin credentials. In some case the azureADName will be set to something other that the real domain. That can be changed afterword’s. I cover that below.

Configure the service.

  1. Launch the ADSI Edit desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
  2. Connect to the Configuration Naming Context of your domain.
  1. Browse to CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration
  2. Right click on the leaf object under CN=Device Registration Configuration and select Properties
    1. Select keywords from the Attribute Editor window and click Edit
    2. Select the values of azureADId and azureADName (one at a time) and click Remove. Edit the value if you need and Add again.
  3. Close ADSI Edit

It is also possible to view the settings with PowerShell.

$scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com";


Before you start or you need to move the client to another tenant it is possible to configure on the local computer instead. Read more at this link.

Next step is to synchronize the computer object in AD Connect. Update the OU filter to include all computers. Run a “Start-ADSyncCycle -PolicyType Initial” on AD Connect server to force an full synchronization.

Once the server side configuration is done you need to sign in to the computer. First sign-in require that AD Connect sync was run successfully. You need to wait up to 30 min until the next sync before you get the Azure AD hybrid join to work successfully. To verify sign-in you can use dsregcmd /status. In the first picture you will see that AzureAdJoined is set to NO that means that the connection is not at place yet.

Second sign-in you will see that AzureAdJoined is set to YES. And the device is configured with AzureAD Hybris Join. Next step is to verify SSO state.

After two AD Connect sync we see that SSO is still not working.

After the third sync and sign-in we see that we get an Primary Refresh Token (PRT) to get SSO to work against Office 365.