About Hybrid Azure AD joined devices

Hybrid Azure AD joined devices are devices that are joined to on-premises Active Directory (AD) and registered with Azure AD. These devices allow you to take advantage of both on-premises AD and Azure AD capabilities. With hybrid Azure AD join, you can centrally manage workplace devices that are joined to your on-premises Active Directory. Your users can sign in to their registered devices using Azure AD.

Some organizations that have traditional on-premises AD environments increasingly need to allow remote user access to cloud services. Azure AD joined and hybrid Azure AD joined devices balance these needs as shown in this table:

Join type

Self-service enrollment Requires corporate network access Support GPOs

Azure AD Join

Yes No Azure AD Domain Services

Hybrid Azure AD Join

Yes Yes AD Domain Services

Once you implement Azure AD or hybrid Azure AD join, you can integrate it with Okta to provide federation and authentication services.

How to join hybrid devices

To join an AD-joined device to Azure AD, you need to set up Azure AD Connect for hybrid Azure AD join. You also need to create a GPO that auto-enrolls AD-joined devices in Azure AD.

When an AD-joined device attempts to join Azure AD, it uses the Service Connection Point (SCP) you configured in Azure AD Connect to find out your Azure AD tenant information. It attempts to hybrid join but fails because the userCertificate attribute of the computer object isn't yet synced with Azure AD. However, upon failure, the attribute is updated on the device with a certificate from Azure AD. Azure AD Connect syncs this attribute to Azure AD in its next sync interval. Next time when a scheduled task in the GPO retries to hybrid join the device, the task is successful and the device is joined in Azure AD.

This process may take several hours. If you encounter problems during the process, see Troubleshooting hybrid Azure Active Directory joined devices (Microsoft docs).

How Okta works with Hybrid Azure AD joined devices

Once your devices are hybrid Azure AD joined, you can use Okta as an Identity Provider (IdP) to secure enrollment and sign-on processes on these devices. Okta verifies the user’s identity information, and then allows them to register their device in Azure AD or grants them access to their Office 365 resources. The user authenticates with Okta before they can sign in to Microsoft Office 365 and other Azure AD resources.

Next steps

Prerequisites for integrating Hybrid Azure AD join