About Hybrid Microsoft Entra ID joined devices
Hybrid Microsoft Entra ID joined devices are devices that are joined to on-premises Active Directory (AD) and registered with Microsoft Entra ID. These devices allow you to take advantage of both on-premises AD and Microsoft Entra ID capabilities. With hybrid Microsoft Entra ID join, you can centrally manage workplace devices that are joined to your on-premises Active Directory. Your users can sign in to their registered devices using Microsoft Entra ID.
Some organizations that have traditional on-premises AD environments increasingly need to allow remote user access to cloud services. Microsoft Entra ID joined and hybrid Microsoft Entra ID joined devices balance these needs as shown in this table:
|
Join type |
Self-service enrollment | Requires corporate network access | Support GPOs |
|---|---|---|---|
|
Microsoft Entra ID Join |
Yes | No | Microsoft Entra ID Domain Services |
|
Hybrid Microsoft Entra ID Join |
Yes | Yes | AD Domain Services |
Once you implement Microsoft Entra ID or hybrid Microsoft Entra ID join, you can integrate it with Okta to provide federation and authentication services.
How to join hybrid devices
To join an AD-joined device to Microsoft Entra ID, you need to set up Microsoft Entra ID Connect for hybrid Microsoft Entra ID join. You also need to create a GPO that auto-enrolls AD-joined devices in Microsoft Entra ID.
When an AD-joined device attempts to join Microsoft Entra ID, it uses the Service Connection Point (SCP) you configured in Microsoft Entra ID Connect to find out your Azure AD tenant information. It attempts to hybrid join but fails because the userCertificate attribute of the computer object isn't yet synced with Microsoft Entra ID. However, upon failure, the attribute is updated on the device with a certificate from Microsoft Entra ID. Microsoft Entra ID Connect syncs this attribute to Microsoft Entra ID in its next sync interval. Next time when a scheduled task in the GPO retries to hybrid join the device, the task is successful and the device is joined in Microsoft Entra ID.
This process may take several hours. If you encounter problems during the process, see Troubleshooting Microsoft Entra hybrid joined devices (Microsoft docs).
How Okta works with Hybrid Azure AD joined devices
Once your devices are hybrid Microsoft Entra ID joined, you can use Okta as an Identity Provider (IdP) to secure enrollment and sign-on processes on these devices. Okta verifies the user's identity information, and then allows them to register their device in Microsoft Entra ID or grants them access to their Office 365 resources. The user authenticates with Okta before they can sign in to Microsoft Office 365 and other Microsoft Entra ID resources.
Next steps
Prerequisites for integrating Hybrid Microsoft Entra ID join