Conditional Access and Hybrid AD Join

Conditional Access and Hybrid AD Join

It is quite common to use the Hybrid AD Join device state as part of Conditional Access. Whilst it isn’t as strong a Require Compliance Device, it is much easier to attain in an existing estate with mixed hardware.

If you’re having trouble getting the device the Hybrid AD Join, or to show AzureADPrt = YES in the dsregcmd /status output, then see our previous blog on Troubleshooting Hybrid AD Join

If your device has been Hybrid AD Joined and you’re still getting issues with Azure not seeing that your device is Hybrid AD Joined, then you’re in the right place.

First of all there are strict requirements around browsers, basically IE, Legacy Edge work, Chromium Edge needs to have the profile signed in, and Chrome needs to have the Windows 10 Accounts extension installed and enabled. Only those browsers will send device information to Azure AD, and only in that state, InPrivate/Incognito mode is not supported.

Now often issues arise when you want to sign in as a different user. The problem here is that the browser only has access to the PRT that belongs to the user who is signed into the profile in Edge or on the device itself otherwise. We can check the PRT for a specific user by running Command Prompt as that user and then checking AzureADPrt in the output from dsregcmd /status. Again if AzureADPrt = NO then refer to the Troubleshooting Hybrid AD Join blog

If AzureADPrt = YES and you still have problems, then make sure that the browser profile is signed in as the user who you’re trying to access the service with. If you are and it’s still not working then delete that profile and create it again, when prompted to sign in make sure that you untick the option “Allow my organization to manage the device”

After that the secondary account should have its own PRT that the browser has access to and the Hybrid AD Join CA condition can be met

Enjoy the CA!