How to Set Up Microsoft Entra (Azure AD) Hybrid Join on Windows Server 2025

How to Set Up Microsoft Entra (Azure AD) Hybrid Join on Windows Server 2025

Microsoft Entra Hybrid Join — formerly known as Hybrid Azure AD Join — registers your on-premises domain-joined Windows devices in both the local Active Directory and Microsoft Entra ID simultaneously. This dual registration is the foundation for modern identity features in a hybrid environment: Conditional Access policies can require that a device be hybrid-joined before granting access to Microsoft 365, users benefit from seamless single sign-on (SSO) to cloud resources without re-entering credentials, and Windows Hello for Business can be deployed across on-premises and cloud workloads from a single policy. On Windows Server 2025, the Service Connection Point (SCP) in Active Directory tells devices where to find the Entra registration endpoint, Azure AD Connect synchronises device objects to the cloud, and dsregcmd provides real-time diagnostics at every step. This tutorial walks through the complete hybrid join configuration from prerequisites to verification and Conditional Access.

Prerequisites

• An on-premises Active Directory domain (e.g., contoso.com) with Windows Server 2025 DCs.
• Microsoft Entra ID tenant (formerly Azure AD) with a verified custom domain matching the UPN suffix used in on-premises AD.
• Azure AD Connect (version 2.x or later, now called Microsoft Entra Connect) installed and running directory synchronisation.
• Device writeback enabled in Azure AD Connect (required for Hybrid Join).
• Domain-joined Windows 10/11 or Windows Server 2025 client machines.
• Outbound HTTPS (port 443) from domain-joined machines to Microsoft Entra endpoints (login.microsoftonline.com, device.login.microsoftonline.com, enterpriseregistration.windows.net).
• Global Administrator credentials for your Entra tenant and Domain Admin credentials for on-premises AD.

Step 1: Verify Azure AD Connect Synchronisation

Hybrid Join requires Azure AD Connect to be synchronising computer objects and to have device writeback configured. Confirm the current sync status before making changes.

# On the Azure AD Connect server — check sync status
Import-Module ADSync

# Show last synchronisation cycle result
Get-ADSyncScheduler | Select-Object SyncCycleEnabled, NextSyncCyclePolicyType, `
    LastSyncRunStartTime, LastSyncRunEndTime

# View connector statistics (check for errors on the Azure AD connector)
Get-ADSyncConnector | Select-Object Name, Type, State, `
    @{N="LastSync";E={$_.Statistics.LastSuccessfulRun}}

# Trigger a delta sync if needed
Start-ADSyncSyncCycle -PolicyType Delta

Step 2: Enable Device Writeback in Azure AD Connect

Device writeback creates computer objects in your on-premises AD for Entra-joined devices, enabling on-premises resources (such as AD FS or RADIUS) to evaluate device compliance. Enable this feature in the Azure AD Connect wizard or via PowerShell.

# Check if device writeback is currently enabled
(Get-ADSyncAADCompanyFeature).DeviceWriteback

# To enable via the wizard, re-run the Azure AD Connect configuration assistant:
# Start-Process "C:Program FilesMicrosoft Azure Active Directory ConnectAzureADConnect.exe"
# Navigate to: Configure > Optional Features > Device Writeback > Enable

# To enable device writeback via PowerShell (requires MSOnline or Graph module):
# First, ensure the device container exists in on-premises AD
Import-Module MSOnline
Connect-MsolService   # Authenticate as Global Admin

# Verify the tenant domain
Get-MsolDomain | Where-Object { $_.IsDefault } | Select-Object Name, Status

Step 3: Create the Service Connection Point (SCP) in Active Directory

The Service Connection Point is an object in the AD Configuration container that domain-joined devices query at startup to discover the Entra ID tenant for hybrid registration. Azure AD Connect can create this automatically, or you can create it manually with PowerShell — useful when AAD Connect runs under a least-privilege account.

# Option A: Configure SCP via Azure AD Connect during setup
# (In the wizard: Configure Device Options > Configure Hybrid Azure AD Join > SCP Configuration)

# Option B: Create SCP manually via PowerShell
# Run on a Domain Controller or machine with AD module

$tenantId   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"  # Your Entra tenant ID
$tenantName = "contoso.onmicrosoft.com"

$configDN    = (Get-ADRootDSE).configurationNamingContext
$servicesDN  = "CN=Services,$configDN"
$regDN       = "CN=Device Registration Configuration,$servicesDN"

# Create the Device Registration Configuration container if it doesn't exist
if (-not (Get-ADObject -Filter {DistinguishedName -eq $regDN} -ErrorAction SilentlyContinue)) {
    New-ADObject -Name "Device Registration Configuration" `
        -Type container `
        -Path $servicesDN
}

# Create the SCP object
$scpDN = "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,$regDN"
if (-not (Get-ADObject -Filter {DistinguishedName -eq $scpDN} -ErrorAction SilentlyContinue)) {
    New-ADObject -Name "62a0ff2e-97b9-4513-943f-0d221bd30080" `
        -Type serviceConnectionPoint `
        -Path $regDN `
        -OtherAttributes @{
            "keywords"     = "azureADName:$tenantName", "azureADId:$tenantId"
            "serviceClassname" = "Device Registration Service"
        }
}

Write-Host "SCP created. Tenant ID: $tenantId"

Step 4: Configure SCP via Registry GPO for Managed Domains

For managed (non-federated) domains, devices also look for Entra tenant information in the local registry. Deploying this via Group Policy ensures all domain-joined machines can discover the registration endpoint even before they read the AD SCP, which requires network connectivity to a DC.

# Create a GPO that sets the CDJ (Cloud Domain Join) registry keys
# Run on a DC or management server with GPMC and ActiveDirectory modules

Import-Module GroupPolicy

$gpoName = "Hybrid Azure AD Join - CDJ Registry"
$gpo = New-GPO -Name $gpoName -Comment "Sets SCP tenant info for Hybrid AAD Join"

# Link GPO to domain root (or a specific OU containing target computers)
New-GPLink -Name $gpoName -Target "DC=contoso,DC=com" -LinkEnabled Yes

# Add registry settings via Set-GPRegistryValue
$regPath = "HKLMSOFTWAREMicrosoftWindowsCurrentVersionCDJAAD"

Set-GPRegistryValue -Name $gpoName -Key $regPath `
    -ValueName "TenantId" `
    -Type String `
    -Value "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Set-GPRegistryValue -Name $gpoName -Key $regPath `
    -ValueName "TenantName" `
    -Type String `
    -Value "contoso.onmicrosoft.com"

Write-Host "GPO '$gpoName' created and linked. Force gpupdate on target machines."

Step 5: Trigger and Verify Hybrid Join on a Client

After Group Policy applies and Azure AD Connect completes a sync cycle, domain-joined machines register automatically during the next scheduled task run (Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join). You can trigger this immediately for testing.

# Run on the domain-joined client machine (Windows 10/11 or Windows Server 2025)

# Force Group Policy refresh first
gpupdate /force

# Manually trigger the Automatic Device Join scheduled task
schtasks /Run /TN "MicrosoftWindowsWorkplace JoinAutomatic-Device-Join"

# Wait ~60 seconds, then check registration status
dsregcmd /status

# Key fields to verify in the output:
# AzureAdJoined    : YES
# DomainJoined     : YES
# EnterpriseJoined : NO   (should be NO for Hybrid Join — not Workplace Join)
# DeviceId         : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
# TenantName       : contoso.onmicrosoft.com

# Check the Primary Refresh Token (PRT) — needed for SSO to cloud resources
# Under the "SSO State" section:
# AzureAdPrt       : YES
# AzureAdPrtUpdateTime : recent timestamp

Step 6: Troubleshoot Hybrid Join Issues

# Detailed diagnostic output (run as SYSTEM or NETWORK SERVICE for accurate results)
dsregcmd /debug

# Check for registration errors in the event log
Get-WinEvent -LogName "Microsoft-Windows-User Device Registration/Admin" `
    -MaxEvents 50 | Where-Object { $_.LevelDisplayName -ne "Information" } | `
    Format-List TimeCreated, LevelDisplayName, Message

# Verify SCP is readable from the client
$configDN = (([ADSI]"LDAP://RootDSE").configurationNamingContext)
$scpPath  = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,$configDN"
$scp = [ADSI]$scpPath
$scp.Properties["keywords"].Value   # Should show azureADName: and azureADId:

# Force Azure AD Connect to sync the newly joined device
# Run on the AAD Connect server:
Start-ADSyncSyncCycle -PolicyType Delta

# Verify device appears in Entra ID portal or via Graph
Connect-MgGraph -Scopes "Device.Read.All"
Get-MgDevice -Filter "displayName eq 'WORKSTATION01'" | `
    Select-Object DisplayName, IsCompliant, RegisteredDateTime, TrustType
# TrustType should be: ServerAd (= Hybrid Azure AD Joined)

Step 7: Create a Conditional Access Policy Requiring Hybrid Join

# Using Microsoft Graph PowerShell to create a Conditional Access policy
# Requires AzureAD or Microsoft.Graph.Identity.ConditionalAccess module

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess","Policy.Read.All"

$policy = @{
    displayName = "Require Hybrid Joined Device for M365"
    state       = "enabledForReportingButNotEnforced"  # Use "enabled" after testing
    conditions  = @{
        users = @{
            includeGroups = @("All Users")  # Replace with specific group ID
        }
        applications = @{
            includeApplications = @("Office365")
        }
        devices = @{
            deviceFilter = @{
                mode = "exclude"
                rule = "device.trustType -eq `"ServerAd`""  # Exclude Hybrid Joined (require them)
            }
        }
    }
    grantControls = @{
        operator          = "OR"
        builtInControls   = @("domainJoinedDevice")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $policy
Write-Host "Conditional Access policy created in report-only mode. Review sign-in logs before enforcing."

Conclusion

Microsoft Entra Hybrid Join on Windows Server 2025 bridges on-premises Active Directory and the cloud identity plane with minimal user disruption. By correctly placing the Service Connection Point in AD, keeping Azure AD Connect synchronisation healthy, and deploying the CDJ registry settings via Group Policy, your domain-joined machines register automatically within a single logon cycle. The dsregcmd /status command remains the fastest diagnostic tool — confirming both DomainJoined : YES and AzureAdJoined : YES in a single output. With hybrid join in place, you gain the ability to enforce Conditional Access policies that require a known, domain-trusted device before allowing access to Microsoft 365 workloads, combining the governance of on-premises Group Policy with the modern security controls of the Microsoft Entra platform.