Automatic enrollment of Hybrid Azure AD joined devices using Group Policy Object

You can configure to automatically mass-enroll a large number of Hybrid Azure AD joined corporate devices into BigFix MCM without any user intervention or Admin user credentials. The enrollment into MDM is triggered by a group policy created on the local Active Directory.

What is Hybrid Azure AD join

Hybrid Azure AD joined device means that it is visible in both your on-premises AD and in Azure AD. After adding the devices to Domain Controller (On-premises AD), when you integrate On-premises AD with Azure AD, the devices become Hybrid Azure AD joined devices. Azure AD joined devices automatically get enrolled to BigFix MCM, when Azure AD is configured. This way, you can apply group policies to multiple devices and enroll to BigFix MCM with non-admin user credentials. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

How to configure

To configure, complete the following steps:
  1. Integrate On-premises AD with Azure AD.
    Note: You can integrate through the Azure AD Connect, after which all the objects are synchronized to Azure AD from on-premises AD.
  2. Define group policies in the domain controller.
  3. Assign a group policy to Hybrid AD joined devices.

Once the Hybrid AD joined device is assigned to a group policy, the device automatically gets enrolled to BigFix MCM service.

Requirements

  • Domain controller or On-premises AD with users and devices configured
  • Azure AD with BigFix MCM application configured
  • Administrator privileges on both on-premises and Azure AD

Procedure

Integrate On-premises AD with Azure AD
  1. Download Azure AD Connect, open Azure AD Connect, and click Configure.

  2. Select Customize synchronization options and click Next.

  3. Enter Azure AD Global Administrator credentials and click Next. The credentials are verified and connected to Azure AD.

  4. After the Azure AD is connected, enter Enterprise Admin credentials to connect to on-premises AD. When the Connect your directories screen appears, enter connection information of the on-premises directories and click Add Directory.

  5. After the directory is listed under CONFIGURED DIRECTORIES, click Next.
  6. On the next screen, select Sync all domains and OUs options and click Next.

  7. In the next screen, ensure the required optional features are selected and click Next.

  8. On the next screen, click Configure.

Once the synchronization is completed, all the users, devices in the on-premises AD appears in Azure AD as well.

After integration
All the users, computers are synchronized. You can see “Yes” under Directory synced column in Azure AD.
Note: The screenshots were captured at the time of creating this document. For latest UI, refer to the official documentation at https://docs.microsoft.com/en-us/mem/autopilot/ as the Azure UI gets updated with Microsoft releases.
  • Users synchronized
    On-premises AD

    Azure AD

  • Devices Synchronized and become Hybrid AD joined devices
    On-premises AD

    Azure AD

Define group policies in the domain controller
  1. From Group Policy Management screen, under Domains, select your domain, click Group Policy Objects, right click, and from the context menu select New.

  2. In the NEW GPO pop-up, enter the group policy name and click OK. The created policy is listed under Group Policy Objects.
    1. To enable non-admin user to enroll to BigFix MCM, select the created group policy, click Settings. Under Computer Configuration > Policies > Administrative Templates > Windows Components/MDM, do the following:
      1. Enable the setting “Enable automatic MDM enrollment using default Azure AD credentials
      2. For Select Credential Type to Use, select User Credential

      Now, the group policy is created and defined to enable non-admin user to enroll.

      Next step: Associate the defined policy to devices
Assign the group policy (that enables non-admin device user to enroll) to Hybrid AD joined devices
  1. Assign the group to the organization
    1. Under Group Policy Management, select Domains, select (the organization), right click, and select Link an Existing GPO.

    2. In the Select GPO pop-up, select the desired Group Policy object and click OK.

  2. Assign the device to Organization
    1. To move the Computers to the organization, From Azure Directory Users and Computers, navigate to Computers.
    2. Select the device, right click, and click Move.

    3. From the Move pop-up, select the organization and click OK.

      Now, the computer is moved to the selected organization. Now, this device is eligible for automatic enrollment.

Enrollment process

When a Hybrid AD joined device is restarted, it is automatically enrolled to BigFix MCM.

To verify Azure AD and on-prem AD and other details, from the enrolled device, in the command prompt, run the command dsregcmd /status. You can view all the required details.

To begin the enrollment process, do the following steps:

  1. Open the Windows device that is associated with the MDM server. Connect to the Internet. Enter the password as set in Azure AD. Update the password.
  2. The End User License Agreement page appears. Select the license agreement check box after reading and click Accept. The autopilot enrollment process begins.
    After the enrollment is completed, go to Settings > Access work or school to verify MDM server details.

    Click Info to verify the policy and application details.