Hybrid Azure AD Join has been implemented with Rutgers Active Directory (RAD) and now available for use. A device is said to be hybrid joined if it has both an AD object and an Azure AD (AAD) object, which allow users of that device to sign in with a RAD user account.

With Hybrid Joins the university can now leverage:

• Device Based licensing for Office 365
  
  • This allows Office to be tied to the Device rather than the User, making it ideal for enterprise or shared devices.
• Reduced logins due to the device being assign both RAD and Azure authentication tokens

A device in Rutgers Active Directory (RAD) can end up in a hybrid joined state one of two ways:

• If the computer is already joined to RAD.
• The computer was built via Rutgers Autopilot, in which case it could be hybrid joined via configuration profiles.

A hybrid joined computer is joined to both AD and AAD, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined.

Azure Hybrid Join Configuration Profile

AD Join from Azure Configuration Profile NOTE: This is NOT required if the device is already part of RAD. It is only required for New Deployments or Azure Only Joined devices.

1. Log into Endpoint.microsoft.com and click on Devices and under the Policy heading, click Configuration Profiles.
   
   
   
   
2. Click Create Profile, select Windows 10 and Later as the Platform and Templates as the Type.
   
   
   
   
   
3. Find Domain Join in the list and click Create.
   
   
   
   
4. Name your Configuration and click Next.
   
5. Here we will specify the prefix for the system, Domain and OU for it to be place in.
   1. The Computer Name Prefix can be 12 characters long, allowing Azure to randomly assign the last 3 characters to be unique. This prevents us from being able to pre-populate computer names in RAD.
   2. Enter the Domain you wish to Join.
   3. Add the FQDN of the OU where you wish for the devices to be added.
   4. Click Next.
      
      
6. You will then need to set the Scope Tag for your department as well as assign the Configuration to a group of devices for assignment.
7. The Intune Connector will create the Computer Object and Join the device on your behalf.
8. Devices that are decommissioned or re-imaged will need to be reset it will need to be manually removed from AD.