How to auto enroll a Hybrid Azure AD join device in Intune

Many companies use Domain Controllers on-premises but they also use cloud technologies like Azure or Intune to extend their capabilities.

Intune is very helpful when you need to manage devices out of your internal network or devices that aren't joined to a domain.

Furthermore, Intune can be useful for devices on an internal network for different reasons. 

Some of them are:

  • Manage and secure employees with Laptops that are domain-joined, but travel a lot and need to have access to company resources as an internal user.
  • Technologies like Conditional Access can give another level of security more flexibility.
  • Decreasing the time IT spends on managing devices

Hybrid Azure Azure  AD join devices are the devices that are joined to an on-premise domain controller and registered to an Azure AD.

In case you need to manage a device from Intune MDM but is domain joined then you must use the Hybrid Azure AD join type.

Today I would like to explain how can enroll a Hybrid Azure AD join device to an Intune MDM.

>> Are you ready to learn Intune or Azure? Start 10 days free trial in Pluralsight ?


Before you will proceed with the steps read very carefully and ensure that comply with the following:

  • Windows 10 1706 and later.
  • A device must be registered in Azure AD
  • The user must have a valid license to support the device enrollment
    • Licenses available for Microsoft Intune
      • Microsoft 365 E5
      • Microsoft 365 E3
      • Enterprise Mobility + Security E5
      • Enterprise Mobility + Security E3
      • Microsoft 365 Business Premium
      • Microsoft 365 F1
      • Microsoft 365 F3
      • Microsoft 365 Government G5
      • Microsoft 365 Government G3
      • Intune for Education

Furthermore, you can find more details in Microsoft Intune licensing


Enroll the Hybrid AD join device to an Intune

We must follow the specific steps to enroll the Hybrid Azure AD join device in your company in the Intune MDM

So let's start !!

#Ensure that the Autoenrollment is activated in the Intune Portal

The first step is to ensure that the Autoenrollment for the users is activated in the Intune Portal. 

We can verify this by doing the following:

  • Login to the Microsoft Endpoint Manager Admin Center
  • Click on Devices
  • Click on the Enroll devices


  • Click on the Automatic enrollment


  • Verify that the MDM user scope is set to All or Some if you want only specific users to auto-enroll the devices in the Intune.


If all are set correctly let's go to the next step


#Create OU for the devices to apply the GPO

You must create an Organization Until(OU) in the Active Directory, to include all the devices that you want to auto-enroll in the Intune MDM. You will need the OU in the next step to assign a GPO for the auto-enrollment.

  • Open the Active Directory
  • Select where do you want to create the OU.
  • Right-click and select Organization Unit.
  • Give a Name that you want and click OK.
  • Now move all the devices that you plan to auto-enroll to the specific OU.
  • In my Active Directory I have created an Organization Unit with the Name Win10


Good!. Let's go to the next step.


#Create the GPO to auto enroll a device

The last step is to create the GPO that will auto-enroll the devices to Intune MDM.

  • Open the Group Policy Management Console.
  • Create a new Group Policy
  • Go in the Computer Configuration -- Policies -- Administrative Templates -- Windows Components -- MDM
  • Edit the Enable Automatic MDM enrollment using default Azure AD Credentials


  • Select Enabled
  • In the Options for the Select Credentials type to use change to User Credentials.
  • Note that the User Credential option is available after Windows 10 1903 admx that must download and include in your Central Store for the Group Policies.
  • You can download the Windows 10 1903 admx from Administrative Templates (.admx) for Windows 10 May 2019 Update (1903) v3.0


  • Assign the GPO to the Organization that you created in the previous step.
  • Wait until the GPO applies to the devices or run a gpupdate /force to a PC. 
  • Then restart the PC and follow the next step to verify that the PC has been enrolled in the Intune MDM


#Verify the enrollment of the devices in the Intune MDM

You have different ways to verify that a device is enrolled in the Intune MDM.

Let's see which ones they are.

##Verify the enrollment from the Intune MDM

You can very easily and quickly verify which devices are enrolled from the Intune Portal.

  • Open the Microsoft Endpoint Manager Admin Center.
  • Go in the Devices
  • Select All Devices. On the right side, you will see all the devices that are enrolled.


##Verify the enrollment from the Azure AD

Another way to verify the enrollment is from the Azure AD.

  • Open the Azure Active Directory.
  • Click on Devices -- All Devices.
  • The column MDM must write Microsoft Intune.



##Verify the enrollment from the Device

If you are connected to the device that you have applied to enroll in the Intune then you can verify the enrollment from the following:

  • Click Start -- Settings -- Accounts
  • On the left side select Access work or school
  • Click on the Connected to ........
  • If the button Info is enabled then the device is enrolled.


That's it!!

I hope to help you enroll your Hybrid AD Join device to the Intune


Disqus Comments