Overview
This article outlines the steps to configure Microsoft Entra hybrid join for domain-joined devices using Group Policy in Active Directory. This method is suitable for environments with existing Active Directory infrastructure looking to extend capabilities to the cloud.
Step 1: Configure Group Policy for Device Registration
To enable devices in your OU to hybrid join Microsoft Entra ID:
- Open Group Policy Management Console (GPMC)
- Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration
- Edit 'Register domain-joined computers as devices' and set it to Enabled
- Click OK
If no blank GPOs are available, submit an Active Directory Service Request and select 'Request new GPOs for your department.'
Important: Ensure Block Inheritance is applied on your department’s endpoint OU to prevent higher-level GPOs from overriding your configuration.
Step 2: Verify Microsoft Entra Hybrid Join Status
To confirm the device has successfully hybrid joined, Log onto the device and
- Open Command Prompt (no admin rights required)
- Run: dsregcmd /status
- Confirm both show as 'YES':
- AzureAdJoined : YES
- DomainJoined: YES
Note: It may take more than 5 minutes after policy application for Microsoft Entra hybrid join to complete.