How to Set Up Microsoft Entra (Azure AD) Hybrid Join on Windows Server 2022

Hybrid Azure AD Join Overview

Microsoft Entra Hybrid Join (formerly Azure AD Hybrid Join) is the process of registering on-premises Active Directory domain-joined devices with both the on-premises AD and Microsoft Entra ID (formerly Azure Active Directory). After a successful Hybrid Join, a device has a presence in both identity systems: it has an on-premises computer account in AD DS and a device object in Entra ID.

This dual registration enables several critical capabilities. Users can sign in with their Azure AD credentials (including MFA) while the device remains managed by on-premises Group Policy. Conditional Access policies in Entra can require that access to Microsoft 365 services, Azure resources, and SaaS applications comes only from Hybrid Joined devices. It also enables Windows Hello for Business in hybrid mode and allows Intune co-management with SCCM.

Windows Server 2022 member servers can participate in Hybrid Join just like client machines. This is particularly useful for servers that need to access Azure resources using the server’s device identity, or for environments where Conditional Access is enforced on administrative tools and remote management connections.

Prerequisites and Architecture

Before configuring Hybrid Join, verify the following prerequisites are in place:

• Azure AD Connect (or Azure AD Connect Cloud Sync) version 1.1.819.0 or later is installed and configured for your on-premises AD
• Device writeback is enabled in Azure AD Connect, or alternatively, Entra Connect Sync handles device synchronization automatically in newer versions
• On-premises AD forest functional level is Windows Server 2008 R2 or higher
• Devices need internet access to reach the following endpoints: login.microsoftonline.com, device.login.microsoftonline.com, enterpriseregistration.windows.net, and enterpriseregistration.microsoftonline.com
• If using AD FS, AD FS 2012 R2 or later; if not using AD FS, Seamless Single Sign-On must be enabled in Azure AD Connect
• DNS must resolve public Microsoft endpoints from domain-joined devices

Configuring Hybrid Join via Azure AD Connect

Azure AD Connect includes a wizard for configuring Hybrid Azure AD Join. This creates the necessary Service Connection Point (SCP) in your on-premises AD, configures device synchronization, and establishes the trust required for the device registration process.

# Verify Azure AD Connect version before proceeding
# Run on the server running Azure AD Connect
Import-Module ADSync
Get-ADSyncGlobalSettings | Select-Object Version

# If version is below 1.1.819.0, update Azure AD Connect first
# Download latest from: https://www.microsoft.com/en-us/download/details.aspx?id=47594

# Open the Azure AD Connect configuration wizard
# From the Azure AD Connect server:
Start-Process "C:Program FilesMicrosoft Azure Active Directory ConnectAzureADConnect.exe"

# In the wizard:
# 1. Click "Configure"
# 2. Select "Configure device options"
# 3. Click Next and authenticate to Azure AD with Global Admin credentials
# 4. Select "Configure Hybrid Azure AD join"
# 5. Choose your OS types (Windows current = Win10/11/2016+, Windows downlevel = older)
# 6. Add your AD forest for device synchronization
# 7. Select the SCP configuration method (choose "Azure AD" for Entra ID)
# 8. Complete the wizard

Verify device synchronization is enabled in the AD Sync configuration:

# Check what objects are being synced
Get-ADSyncRule | Where-Object { $_.Name -like "*Device*" } | `
    Select-Object Name, Direction, ConnectorName, Enabled

# Verify device sync connector
Get-ADSyncConnector | Select-Object Name, Type, State

# Force a sync cycle to replicate any existing computer objects to Entra
Start-ADSyncSyncCycle -PolicyType Delta
Start-ADSyncSyncCycle -PolicyType Initial  # Full sync if needed

# Check sync errors
Get-ADSyncConnectorStatistics -ConnectorName "corp.example.com" | `
    Select-Object ConnectorName, ExportAdds, ExportUpdates, ExportDeletes

Service Connection Point in AD for Device Auto-Discovery

The Service Connection Point (SCP) is an AD object that Windows devices use to auto-discover the Azure AD tenant and device registration service endpoint. The Azure AD Connect wizard creates this automatically, but you can verify and create it manually if needed.

# Verify the SCP exists after running Azure AD Connect wizard
$scp = Get-ADObject -SearchBase "CN=Configuration,DC=corp,DC=example,DC=com" `
    -Filter { objectClass -eq "serviceConnectionPoint" -and Name -eq "62a0ff2e-97b9-4513-943f-0d221bd30080" } `
    -Properties *

$scp | Select-Object Name, DistinguishedName, Keywords

# The Keywords attribute should contain two values:
# azureADName:
# azureADId:

# Create SCP manually if it doesn't exist (use your own tenant ID)
$tenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$tenantName = "yourtenant.onmicrosoft.com"

$configNC = (Get-ADRootDSE).configurationNamingContext
$siteContainer = "CN=Services,CN=Configuration," + (Get-ADDomain).DistinguishedName.Replace("DC=","CN=Configuration,DC=").Split(",CN=Configuration,")[1]

# Get the Services container DN properly
$servicesContainer = "CN=Services,$configNC"

New-ADObject -Name "62a0ff2e-97b9-4513-943f-0d221bd30080" `
    -Type serviceConnectionPoint `
    -Path "CN=Device Registration Configuration,$servicesContainer" `
    -OtherAttributes @{
        keywords = @("azureADName:$tenantName", "azureADId:$tenantId")
    }

# Verify the SCP is readable by domain computers
# Domain computers need Read access to this SCP object
$scpDN = "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,$servicesContainer"
Get-ACL -Path "AD:$scpDN" | Select-Object -ExpandProperty Access | `
    Where-Object { $_.IdentityReference -like "*Computers*" }

GPO for Hybrid Join: Workplace Join Computer Configuration

For Windows Server 2022 and Windows 10/11 current channel devices, the Hybrid Join process is triggered automatically using a Scheduled Task that ships with the OS. However, you can also push the configuration via Group Policy to ensure all domain-joined machines attempt registration:

# Create a GPO for Hybrid Azure AD Join
New-GPO -Name "Hybrid-Entra-Join-Config" -Comment "Triggers Hybrid Azure AD Join"

# Link to the target OU containing servers/computers
New-GPLink -Name "Hybrid-Entra-Join-Config" `
    -Target "OU=Servers,DC=corp,DC=example,DC=com"

# The key GPO setting is at:
# Computer Configuration > Windows Settings > Security Settings > 
# Windows Settings > Workplace Join
# Enable: "Automatically workplace join computers"
# Value: 1

# Configure via PowerShell using registry settings pushed via GPO
# Computer Configuration > Preferences > Windows Settings > Registry
# Key: HKLMSOFTWAREPoliciesMicrosoftWindowsWorkplaceJoin
# Value: autoWorkplaceJoin  DWORD = 1

# Verify the registry setting on a target server after GPO applies
Invoke-Command -ComputerName WS2022-Server01 -ScriptBlock {
    Get-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsWorkplaceJoin" `
        -Name "autoWorkplaceJoin" -ErrorAction SilentlyContinue
}

The Hybrid Join scheduled task that runs on the device is named Automatic-Device-Join and is located in Task Scheduler LibraryMicrosoftWindowsWorkplace Join. You can trigger it manually for testing:

# Trigger the Hybrid Join scheduled task manually on a target server
# Run on the target Windows Server 2022 machine:
dsregcmd /join

# Or trigger via the scheduled task
schtasks /run /tn "MicrosoftWindowsWorkplace JoinAutomatic-Device-Join"

# Monitor the task execution
schtasks /query /tn "MicrosoftWindowsWorkplace JoinAutomatic-Device-Join" /v /fo LIST

Verifying Hybrid Join Status with dsregcmd

The dsregcmd /status command is the primary tool for verifying the device registration state on any Windows device. Run it directly on the target server:

# Run on the Windows Server 2022 machine
dsregcmd /status

# Key fields to check in the output:
# +----------------------------------------------------------------------+
# | Device State                                                          |
# +----------------------------------------------------------------------+
#
#              AzureAdJoined : NO          <- Will be YES for pure Azure AD Join
#         EnterpriseJoined : NO
#             DomainJoined : YES          <- Must be YES for Hybrid Join
#               DomainName : corp
#      Virtual Desktop : NO
#
# +----------------------------------------------------------------------+
# | SSO State                                                             |
# +----------------------------------------------------------------------+
#
#                 AzureAdPrt : YES         <- Primary Refresh Token obtained
#        AzureAdPrtAuthority : https://login.microsoftonline.com/...
#                 Enterprise : NO
#
# +----------------------------------------------------------------------+
# | Work Account                                                          |
# +----------------------------------------------------------------------+
#
# For Hybrid Join, check for device object in both directories:
# The "User State" section shows if device certs are provisioned

# Check if the device object exists in Entra ID
# Run from Azure Cloud Shell or admin PowerShell with Entra module:
Install-Module -Name Microsoft.Graph -Force
Connect-MgGraph -Scopes "Device.Read.All"

Get-MgDevice -Filter "displayName eq 'WS2022-SERVER01'" | `
    Select-Object DisplayName, IsCompliant, IsManaged, TrustType, `
    ApproximateLastSignInDateTime, OperatingSystem, OperatingSystemVersion

A successful Hybrid Join shows TrustType: ServerAD for the device in Entra ID, indicating it joined via on-premises AD rather than a direct Azure AD join. The dsregcmd /status output should show a device certificate thumbprint and a valid Primary Refresh Token (PRT).

Conditional Access Requiring Hybrid Join

Once devices are Hybrid Joined, you can create Conditional Access policies in Entra ID that require device compliance or Hybrid Join status as a condition for accessing resources. This ensures only managed, domain-joined servers can access Azure resources and Microsoft 365 services:

# Configure Conditional Access via Microsoft Graph API
# Example: Require Hybrid Join for Azure portal access

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Application.Read.All"

$caPolicy = @{
    displayName = "Require Hybrid Join for Azure Portal"
    state       = "enabled"
    conditions  = @{
        users = @{
            includeGroups = @("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")  # Admin group ID
        }
        applications = @{
            includeApplications = @("797f4846-ba00-4fd7-ba43-dac1f8f63013")  # Azure Management
        }
        platforms = @{
            includePlatforms = @("windows")
        }
    }
    grantControls = @{
        operator = "OR"
        builtInControls = @("domainJoinedDevice")  # Hybrid Join requirement
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter ($caPolicy | ConvertTo-Json -Depth 10)

Troubleshooting Hybrid Join Failures

Hybrid Join failures fall into several categories. The most common are SCP discovery failures, network connectivity issues to Microsoft endpoints, authentication failures during device registration, and certificate provisioning errors.

# Check the User Device Registration event log on the target server
Get-WinEvent -LogName "Microsoft-Windows-User Device Registration/Admin" `
    -MaxEvents 30 | Format-List TimeCreated, Id, LevelDisplayName, Message

# Key event IDs:
# 306 - Device registration failed
# 304 - Device registration succeeded
# 201 - SCP discovered
# 202 - SCP discovery failed

# Test SCP discovery
# Checks if the device can find the SCP and resolve the tenant info
dsregcmd /debug

# Test connectivity to required endpoints
$endpoints = @(
    "login.microsoftonline.com",
    "device.login.microsoftonline.com",
    "enterpriseregistration.windows.net"
)
foreach ($ep in $endpoints) {
    Test-NetConnection -ComputerName $ep -Port 443 -InformationLevel Quiet
}

# If Seamless SSO is used (no ADFS), verify it's configured
# Check for the AZUREADSSOACC computer account in AD
Get-ADComputer -Identity "AZUREADSSOACC" -Properties Description, PasswordLastSet

# Clear device registration state and retry (for debugging only)
dsregcmd /leave
dsregcmd /join

# Check the device registration DRS URL resolution
Invoke-WebRequest -Uri "https://enterpriseregistration.windows.net/corp.example.com/discover?api-version=1.0" `
    -UseDefaultCredentials -UseBasicParsing | Select-Object StatusCode, Content

When Hybrid Join completes successfully on Windows Server 2022, the server gains a certificate in the HKLMSOFTWAREMicrosoftEnrollments registry path and a device object appears in the Entra admin portal with Join Type: Hybrid Azure AD joined. Regular review of dsregcmd /status across your server fleet, combined with monitoring the Microsoft-Windows-User Device Registration/Admin event log, provides ongoing assurance that device identities remain healthy and in sync between your on-premises AD and Entra ID.