How to Set Up Azure AD Hybrid Join on Windows Server 2016

Introduction

Azure AD Hybrid Join registers Windows Server 2016 (and Windows 10/11) devices with both on-premises Active Directory and Azure Active Directory simultaneously. Hybrid-joined devices get a Device ID in Azure AD, enabling Conditional Access policies, Azure AD-based SSO to cloud resources, Microsoft Intune co-management, and cloud-delivered features like Windows Hello for Business. This guide covers the full Hybrid Join configuration using Azure AD Connect.

Prerequisites

# Verify Azure AD Connect is installed and running
Import-Module ADSync
Get-ADSyncScheduler | Select-Object SyncCycleEnabled,CurrentlyRunning

# Confirm you have the required Azure AD roles
# Global Administrator or Hybrid Identity Administrator in Azure AD

# Check Windows Server 2016 build
[System.Environment]::OSVersion.Version  # Should be 10.0.14393+

# Verify the device can reach Azure AD endpoints
Test-NetConnection -ComputerName 'login.microsoftonline.com' -Port 443
Test-NetConnection -ComputerName 'enterpriseregistration.windows.net' -Port 443

Configuring Azure AD Connect for Hybrid Join

# In Azure AD Connect wizard, configure Device Options:
# Open Azure AD Connect on the sync server
& 'C:Program FilesMicrosoft Azure Active Directory ConnectAzureADConnect.exe'
# Select: Configure device options
# Select: Configure Hybrid Azure AD join
# Select: Windows 10 or later domain-joined devices (covers Server 2016)
# Confirm your AD forest and Azure AD tenant

# After wizard completes, verify the Service Connection Point (SCP) was created
$scp = Get-ADObject -Filter {objectClass -eq 'serviceConnectionPoint'} `
    -SearchBase "CN=Configuration,$((Get-ADDomain).DistinguishedName)" `
    -Properties *
$scp | Select-Object Name,DistinguishedName

Verifying the Service Connection Point

# The SCP tells devices which Azure AD tenant to register with
# Check the SCP in AD
$configNC = (Get-ADRootDSE).configurationNamingContext
$scpPath = "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,$configNC"
$scp = Get-ADObject -Identity $scpPath -Properties keywords
$scp.keywords

# The SCP keywords should contain your tenant ID:
# azureADId:
# azureADName:.onmicrosoft.com

Triggering Device Registration

# On the Windows Server 2016 machine to be hybrid-joined, trigger registration
# Usually happens automatically via Scheduled Task and GPO, but force it:
dsregcmd /join

# Check the hybrid join status
dsregcmd /status

# Look for:
# AzureADJoined : YES
# DomainJoined  : YES
# DeviceId       : (GUID)

Configuring Group Policy for Device Registration

# Create/edit a GPO for hybrid join settings
$gpo = New-GPO -Name 'Azure-Hybrid-Join'
New-GPLink -Name 'Azure-Hybrid-Join' -Target 'DC=contoso,DC=com'

# Set the GPO setting:
# Computer Configuration > Administrative Templates >
#   Windows Components > Device Registration
# "Register domain-joined computers as devices" = Enabled

# Force GPO update and registration
gpupdate /force
Start-ScheduledTask -TaskPath 'MicrosoftWindowsWorkplace Join' -TaskName 'Automatic-Device-Join'

Configuring Conditional Access for Hybrid-Joined Devices

Once devices are hybrid-joined, configure Azure AD Conditional Access to require compliant or hybrid-joined devices for cloud resource access. In the Azure AD portal: Azure Active Directory > Security > Conditional Access > New policy. Under Conditions > Device state, select “Hybrid Azure AD joined” to restrict access to registered corporate devices only.

Troubleshooting Hybrid Join

# View device registration event log
Get-WinEvent -LogName 'Microsoft-Windows-User Device Registration/Admin' -MaxEvents 30 |
    Select-Object TimeCreated,Id,Message | Where-Object {$_.Id -in @(304,306,310,311)} | Format-List

# Common issues:
# - SCP not found: verify Azure AD Connect device options configured
# - Certificate issues: check the MS-Organization-Access certificate in computer store
# - Network: verify access to device registration endpoints
Test-NetConnection -ComputerName 'device.login.microsoftonline.com' -Port 443
certutil -verify -urlfetch "C:Temp
egistration.cer"

Summary

Azure AD Hybrid Join on Windows Server 2016 bridges your on-premises Active Directory with Azure AD, enabling Conditional Access, cloud SSO, and device-based security policies on domain-joined servers and workstations. With Azure AD Connect handling the tenant configuration and a Group Policy setting triggering automatic device registration, hybrid join deploys at scale across your entire AD environment with minimal manual intervention.