Configure Hybrid Join in Microsoft Entra ID
When Okta is federated with your Microsoft Entra ID Office 365 domain and on-premises AD is connected to Okta through the AD Agent, you can begin configuring Hybrid Join.
There are multiple ways to achieve this configuration. This topic explores the following methods:
About these methods and the resultant join types
With the Windows Autopilot and an MDM combination, the machine is registered in Microsoft Entra ID as Microsoft Entra ID Joined, and not as Hybrid Microsoft Entra ID Joined. This is because the machine was initially joined through the cloud and Microsoft Entra ID.
If you want the machine to be registered in Microsoft Entra ID as Hybrid Microsoft Entra ID Joined, you also need to set up the Microsoft Entra ID Connect and GPO method. When both methods are configured, local on-premises GPOs are applied to the machine account. With the next Microsoft Entra ID Connect sync, a new entry appears in Microsoft Entra ID. Then you'll see two records for the new device in Microsoft Entra ID: Microsoft Entra ID Join and Hybrid AD Join. Both are valid.
For the difference between the two join types, see What is Microsoft Entra ID joined device? and What is a hybrid Microsoft Entra ID joined device? (Microsoft Docs).
Start this procedure
Microsoft Entra ID Connect and Group Policy Objects
With this combination, you can sync local domain machines with your Microsoft Entra ID instance. The machines synchronized from local AD appear in Microsoft Entra ID as Hybrid Microsoft Entra ID Joined.
This procedure involves the following tasks:
-
Install Microsoft Entra ID Connect: Download and install Microsoft Entra ID Connect on the appropriate server, preferably on a Domain Controller. See Microsoft Entra ID Connect and Azure AD Connect Health installation roadmap (Microsoft Docs).
Create or use an existing service account in AD with Enterprise Admin permissions for this service.
-
Configure Microsoft Entra ID Connect for Hybrid Join: See Configure Azure AD Connect for Hybrid Join (Microsoft Docs).
During Service Connection Point (SCP) configuration, set the Authentication Service to the Okta org you have federated with your registered Microsoft 365 domain.
-
Configure the auto-enrollment for a group of devices: configure a group policy to allow your local domain devices to automatically register through Microsoft Entra ID Connect as Hybrid joined machines.
See Enroll a Windows 10 device automatically using Group Policy (Microsoft Docs).
How local devices join to Microsoft Entra ID
Once you've configured Microsoft Entra ID Connect and appropriate GPOs, the general flow for connecting local devices looks as follows:
-
A new local device attempts an immediate join by using the SCP you set up during Microsoft Entra ID Connect configuration to find your Microsoft Entra ID tenant federation information. The device then reaches out to a Security Token Service (STS) server. The authentication attempt fails and automatically reverts to a synchronized join.
-
Upon failure, the device updates its userCertificate attribute with a certificate from Microsoft Entra ID.
-
On its next sync interval, Microsoft Entra ID Connect sends the computer object to Azure AD with the userCertificate value. The device appears in Microsoft Entra ID as joined but not registered. The sync interval may vary depending on your configuration. The default interval is 30 minutes.
-
Using a scheduled task in Windows from the GPO an Microsoft Entra ID join is retried.
-
Since the object now lives in Microsoft Entra ID as joined, the device is successfully registered upon retrying.
Windows Autopilot and Microsoft Intune
This method creates local domain objects for your Microsoft Entra ID devices upon registration with Microsoft Entra ID. With this combination, machines synchronized from Microsoft Entra ID appear in Microsoft Entra ID as Microsoft Entra ID Joined, in addition to being created in the local on-premises AD domain.
This procedure involves the following tasks:
-
Set up Windows Autopilot and Microsoft Intune in Microsoft Entra ID: See Deploy hybrid Microsoft Entra ID-joined devices by using Intune and Windows Autopilot (Microsoft Docs).
The installer for Intune Connector must be downloaded using the Microsoft Edge browser. Since Microsoft Server 2016 doesn't support Edge, you can use Windows 10 to download the installer and copy it to the appropriate server.
-
Assign licenses to the appropriate users in the Azure portal: See Assign or remove licenses in Azure (Microsoft Docs). License assignment should include at least Enterprise and Mobility + Security (Intune) and Office 365 licensing.
-
Test the configuration: Once the Windows Autopilot and Microsoft Intune setup is complete, test the configuration using the following steps:
-
Ensure that the device can resolve the local domain (DNS), but isn't joined to it as a member. The new device is joined to Microsoft Entra ID from the Windows Autopilot Out-of-Box-Experience (OOBE).
-
On the Sign in with Microsoft window, enter your username federated with your Azure account. You're redirected to Okta to sign in.
-
Once the sign-on process is complete, the computer begins the device set-up through Windows Autopilot OOBE. This may take several minutes.
-
During this period the client is registered on the local domain through the Domain Join profile created as part of setting up Microsoft Intune and Windows Autopilot. A machine account is created in the specified Organizational Unit (OU). The client machine is also added as a device to Microsoft Entra ID and registered with Intune MDM.
-
Windows Autopilot and other MDMs
If you're using VMware Workspace ONE or Airwatch with Windows Autopilot, see Enrolling Windows 10 Devices Using Microsoft Entra ID: Workspace ONE UEM Operational Tutorial (VMware Docs).
If you're using other MDMs, follow their instructions.
Next steps
Hybrid Microsoft Entra ID Join integration FAQs