Azure AD hybrid join is a feature of Azure AD Connect, and one of several device registration approaches supported by Azure AD. Various features in Azure are only available when using devices that Azure AD knows about, and therefore can trust – for example Windows Hello for Business, device management with Intune.
While Azure Device Registration is a cloud-only simple registration of a device, Azure AD hybrid join is a feature that can be configured in the Azure AD Connect wizard, and applies to domain-joined devices (computers). During a sign-in a Windows 10 computer (or other suitably configured down-level device – which could be as old as Windows 7) can discover a service connection point configured by Azure AD Connect. This causes a certificate to be generated, which is synchronized to Azure AD by Azure AD Connect.
As a result, Azure AD trusts the device they are using, and if AD trusts a user (they can sign-in), Azure AD authenticates the user without further interaction – the user experiences single sign-on (though subsequently MFA or other requirements may cut in).
In scenarios where Active Directory users are using corporate devices that are domain-joined to AD, Azure AD hybrid Join provides a very convenient, powerful, and secure single sign-on solution. This is unlikely to be sufficient, as there will be situations where either the user is not an AD user (seasonal workers, students, guests) and/or they are not using a domain-joined device. For these scenarios, another authentication option will be chosen such as password hash synchronization (PHS) or pass-through authentication (PTA).
Discover what’s Beyond the Wizard in Azure AD Connect in this very popular webinar recording.
Find out more about Azure AD hybrid join on our Azure AD Connect Masterclass.
Learn how to build an HR driven provisioning solution for your Active Directory and Azure Active Directory with our practical video training.
Last reviewed December 2021