How to Configure Hybrid Entra ID Join
Hybrid Entra ID join allows Windows devices to be joined to both on-premises Active Directory and Entra ID simultaneously. The device receives Group Policy from AD and MDM policies from Intune. This is the standard approach for organisations migrating gradually from on-premises to cloud.
What hybrid join is
A hybrid Entra ID joined device appears in both AD (as a computer account, receives GPO) and Entra ID (as a device in your tenant, receives Intune policies). Different from pure Entra ID join (cloud-only) and pure domain join (on-prem only).
Prerequisites
- On-premises Active Directory with Windows Server 2008 R2 or later domain functional level
- Entra Connect syncing user accounts from AD to Entra ID
- Windows 10 1607 or later on clients
- Devices must be domain-joined to on-premises AD first
Configure hybrid join
- Select Configure Hybrid Azure AD join
- Select your AD forest
- Choose Windows 10 or later domain-joined devices
- Select your Azure AD domain
- Complete the wizard
Verify devices are joined
# On the device dsregcmd /status # Look for: # AzureAdJoined : YES # DomainJoined : YES # Both YES = hybrid join successful
Frequently Asked Questions
Yes. Configure automatic MDM enrolment in Entra ID under Mobility (MDM and MAM) > Microsoft Intune.
Yes. WHfB works on hybrid joined devices.
Hybrid join is the device registration state. Co-management means both SCCM and Intune managing the device simultaneously.