How to Set Up Azure AD Hybrid Join on Windows Server 2019

What Is Azure AD Hybrid Join?

Azure AD Hybrid Join is a device registration state where a Windows computer is simultaneously joined to your on-premises Active Directory domain AND registered in Azure Active Directory. This dual membership enables Conditional Access policies, Windows Hello for Business, seamless SSO to cloud resources, and Intune co-management from a single device that was originally on-premises domain joined. On Windows Server 2019, the Hybrid Join process is configured through Azure AD Connect’s device synchronization feature and Group Policy.

Prerequisites

# Prerequisites checklist:
# 1. Azure AD Connect 1.4+ installed and syncing (see post231)
# 2. Windows 10 1607+ or Windows Server 2016+ clients (for automatic registration)
# 3. Azure AD Premium P1 license OR Microsoft 365 license for Conditional Access
# 4. Users must be synced to Azure AD
# 5. SCP (Service Connection Point) must be configured in AD (done by AAD Connect)

# Verify Azure AD Connect version
$adSyncModule = Get-Module -ListAvailable ADSync
$adSyncModule.Version

# Verify users are synced to Azure AD
Connect-AzureAD
$syncedUsers = Get-AzureADUser -Filter "onPremisesSyncEnabled eq true" | Measure-Object
Write-Output "Synced users: $($syncedUsers.Count)"

# Verify device write-back is enabled in AAD Connect
# AAD Connect > Configure > Configure device options > Hybrid Azure AD join

Step 1: Configure Azure AD Connect for Hybrid Join

# Run the Azure AD Connect Configuration Wizard
# Start > Azure AD Connect > Configure > Configure device options > Hybrid Azure AD join

# Via PowerShell (AAD Connect must already be configured)
Import-Module ADSync

# Check current device sync settings
Get-ADSyncScheduler
Get-ADSyncConnector | Select-Object Name, Type

# Enable device synchronization in AAD Connect
# This creates the Service Connection Point (SCP) in AD and enables
# device object synchronization to Azure AD

# Verify the SCP was created after running AAD Connect wizard
$scp = Get-ADObject -Filter { objectClass -eq 'serviceConnectionPoint' } `
    -SearchBase 'CN=Configuration,DC=corp,DC=local' `
    -Properties keywords |
    Where-Object { $_.keywords -like '*AzureAD*' }

$scp | Select-Object Name, DistinguishedName, keywords
# keywords should contain:
# azureADName:
# azureADId:

Step 2: Configure Managed Domains (PHS or PTA Authentication)

For Hybrid Join with Password Hash Sync or Pass-Through Authentication (non-federated domains), Windows 10/11 and Server 2016+ devices use the SCP to discover the tenant and register automatically. No additional AD FS configuration is required:

# Verify the domain authentication type in Azure AD
Connect-MsolService
Get-MsolDomain | Select-Object Name, Authentication

# For managed domains (Authentication = Managed), the automatic Hybrid Join
# process works via the Device Registration Service in Azure AD directly.

# Verify SCP keywords are correct
$scpKeywords = $scp.keywords
$tenantId    = ($scpKeywords | Where-Object { $_ -like 'azureADId*' }) -replace 'azureADId:', ''
$tenantName  = ($scpKeywords | Where-Object { $_ -like 'azureADName*' }) -replace 'azureADName:', ''

Write-Output "Tenant ID: $tenantId"
Write-Output "Tenant Name: $tenantName"

# Test SCP discovery from a domain member
dsregcmd /status
# Look for: AzureAdJoined, DomainJoined, and SCP detection in output

Step 3: Configure Group Policy for Automatic Device Registration

A GPO is required to configure the automatic device registration task on Windows 10/Server 2016+ domain members:

# Create GPO for Hybrid Azure AD Join
$gpo = New-GPO -Name 'Azure AD Hybrid Join Registration'
New-GPLink -Name 'Azure AD Hybrid Join Registration' `
    -Target 'OU=Computers,DC=corp,DC=local'

# Configure the GPO setting via registry (the GPO path is:)
# Computer Configuration > Administrative Templates > Windows Components >
#   Device Registration > Register domain joined computers as devices
# Set to: Enabled

# Or configure via Set-GPRegistryValue
Set-GPRegistryValue -Name 'Azure AD Hybrid Join Registration' `
    -Key 'HKLMSOFTWAREPoliciesMicrosoftWindowsWorkplaceJoin' `
    -ValueName 'autoWorkplaceJoin' `
    -Type DWord -Value 1

# The automatic registration scheduled task will run on the next policy refresh
# Task path: MicrosoftWindowsWorkplace Join
# Task name: Automatic-Device-Join

# Force GPO update on test machines
Invoke-GPUpdate -Computer 'WORKSTATION01' -RandomDelayInMinutes 0

# Trigger the registration task manually (for testing)
Invoke-Command -ComputerName WORKSTATION01 -ScriptBlock {
    Start-ScheduledTask -TaskPath 'MicrosoftWindowsWorkplace Join' `
        -TaskName 'Automatic-Device-Join'
}

Step 4: Verify Hybrid Join Status on a Device

# Run on the target Windows Server 2019 or Windows 10 device
dsregcmd /status

# Expected output for a successfully Hybrid-joined device:
# +----------------------------------------------------------------------+
# | Device State                                                         |
# +----------------------------------------------------------------------+
#    AzureAdJoined : YES
#    DomainJoined  : YES
#    ...
# | SSO State                                                            |
# +----------------------------------------------------------------------+
#    AzureAdPrt    : YES     &1
$azureAdJoined = ($dsreg | Select-String 'AzureAdJoined').ToString().Trim()
$domainJoined  = ($dsreg | Select-String 'DomainJoined').ToString().Trim()
Write-Output $azureAdJoined
Write-Output $domainJoined

# Verify in Azure AD portal
# Azure AD > Devices > All devices
# Look for the device with Join Type = "Hybrid Azure AD joined"

Step 5: Configure Conditional Access to Require Hybrid Join

# Azure AD Conditional Access is configured in the Azure portal
# Azure AD > Security > Conditional Access > New policy

# PowerShell (using AzureAD preview module)
Install-Module AzureADPreview -Force
Connect-AzureAD

# Create a Conditional Access policy requiring Hybrid Joined device
$conditions = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessConditionSet

$conditions.Applications = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition
$conditions.Applications.IncludeApplications = 'All'

$conditions.Users = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessUserCondition
$conditions.Users.IncludeGroups = @((Get-AzureADGroup -SearchString 'All Staff').ObjectId)

$conditions.Platforms = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessPlatformCondition
$conditions.Platforms.IncludePlatforms = 'Windows'

$controls = New-Object -TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessGrantControls
$controls._Operator = 'OR'
$controls.BuiltInControls = 'DomainJoinedDevice'  # Requires Hybrid Join

New-AzureADMSConditionalAccessPolicy `
    -DisplayName 'Require Hybrid Join for Windows' `
    -State 'Enabled' `
    -Conditions $conditions `
    -GrantControls $controls

Troubleshooting Hybrid Join Failures

# Check automatic registration task output
Get-ScheduledTaskInfo -TaskPath 'MicrosoftWindowsWorkplace Join' `
    -TaskName 'Automatic-Device-Join' | Select-Object LastRunTime, LastTaskResult

# Common error codes and meanings:
# 0x801C0003 - Device not found in Azure AD (sync not yet completed)
# 0x801C0012 - Certificate not trusted (check CA configuration)  
# 0x80090016 - Keyset does not exist (TPM issue)
# 0x801C000B - Token binding failed

# View device registration event log
Get-WinEvent -LogName 'Microsoft-Windows-AAD/Operational' -MaxEvents 50 |
    Where-Object { $_.LevelDisplayName -in 'Error','Warning' } |
    Select-Object TimeCreated, Id, Message

# Check if the device exists in Azure AD after sync
Connect-AzureAD
Get-AzureADDevice -Filter "displayName eq 'WORKSTATION01'" |
    Select-Object DisplayName, TrustType, IsCompliant, IsManaged, ApproximateLastLogonTimeStamp

# Force a full device sync in AAD Connect
Start-ADSyncSyncCycle -PolicyType Initial

Enabling Co-Management with Intune

# After Hybrid Join, enable co-management (SCCM + Intune)
# Requires Microsoft Endpoint Configuration Manager

# Or enroll in Intune without SCCM via autopilot
# The device will receive Intune MDM policy after Hybrid Join completes

# Verify MDM enrollment
Get-ScheduledTask -TaskPath 'MicrosoftWindowsEnterpriseMgmt' | 
    Select-Object TaskName, State

# Check MDM enrollment status
dsregcmd /status | Select-String -Pattern 'MDM|Intune'

# View Intune enrollment event log
Get-WinEvent -LogName 'Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin' `
    -MaxEvents 20 | Select-Object TimeCreated, Id, Message

Conclusion

Azure AD Hybrid Join on Windows Server 2019 bridges on-premises Active Directory and Azure Active Directory to provide a unified identity for domain-joined devices in the cloud era. Configured through Azure AD Connect’s SCP registration and a Group Policy for automatic device registration, Hybrid Join enables Conditional Access enforcement, seamless SSO to Microsoft 365 and Azure applications, and a path to Intune co-management—all without disrupting existing on-premises domain workflows.