Hybrid Azure AD Join – How a computer device is recognized as Hybrid device ?
You may have noticed that:
- if you remove a hybrid domain joined device from AAD, it comes up again.
- if you revert the machine or shut it down, then remove the hybrid device from AAD again, still it comes up again.
Why the hybrid domain joined device comes up again?
When the device auto join the hybrid domain to AAD, it writes something to the device (computer) object in on-premise AD.
What is the attribute to identify hybrid device?
That is the userCertificate attribute.
You can verify it by the following steps:
- copy the hex code and decode HEX to PEM certificate.
- Decode the PEM certificate
- Compare the common name with the device ID of AAD, they match.
To safely decode the hex to certificate, check this blog[3].
When the hybrid domain joined device comes up again?
It comes up only when the following conditions are met:
- The userCertificate attribute remains there.
- The AAD Connect synchronization cycle works as expected.
Which means, it relies on the AAD Connect. To know more about AAD Connect, read my previous post:
Azure AD Connect: How to manually synchronize using import, syncronize, export?
To summarize:
- Remove hybrid joined device object from AAD won’t cause the userCertificate removed from on-premise AD
- Remove the userCertificate attribute from on-premise AD will cause hybrid device object to be removed from AAD
References
[1] HEX to PEM certificate
[2] Decode PEM certificate
[3] How to easily decode the userCertificate or caCertificate attribute in Active Directory (with only the tools built into Windows)
版权声明
本文出自 Lesca 技术宅,转载时请注明出处及相应链接。