This article describes three ways to locate and verify the Microsoft Entra hybrid joined device state.
Locally on the device
Follow these steps:
Open Windows PowerShell.
Enter dsregcmd /status
.
Verify that both AzureAdJoined and DomainJoined are set to YES.
You can use the DeviceId and compare the status on the service using either the Microsoft Entra admin center or PowerShell.
For downlevel devices, see the article Troubleshooting Microsoft Entra hybrid joined down-level devices
Using the Microsoft Entra admin center
Follow these steps:
Sign in to the Microsoft Entra admin center as at least a Cloud Device Administrator.
Browse to Identity > Devices > All devices.
If the Registered column says Pending, then Microsoft Entra hybrid join hasn't completed. In federated environments, this state happens only if it failed to register and Microsoft Entra Connect is configured to sync the devices. Wait for Microsoft Entra Connect to complete a sync cycle.
If the Registered column contains a date/time, then Microsoft Entra hybrid join has completed.
Using PowerShell
Verify the device registration state in your Azure tenant by using Get-MgDevice. This cmdlet is in the Microsoft Graph PowerShell SDK.
When you use the Get-MgDevice cmdlet to check the service details:
- An object with the device ID that matches the ID on the Windows client must exist.
- The value for DeviceTrustType is Domain Joined. This setting is equivalent to the Microsoft Entra hybrid joined state on the Devices page in the Microsoft Entra admin center.
- For devices that are used in Conditional Access, the value for Enabled is True and DeviceTrustLevel is Managed.
Open Windows PowerShell as an administrator.
Enter Connect-MgGraph to connect to your Azure tenant.
Count all Microsoft Entra hybrid joined devices (excluding Pending state)
(Get-MgDevice -All | where {($_.TrustType -eq 'ServerAd') -and ($_.ProfileType -eq 'RegisteredDevice')}).count
Count all Microsoft Entra hybrid joined devices with Pending state
(Get-MgDevice -All | where {($_.TrustType -eq 'ServerAd') -and ($_.ProfileType -ne 'RegisteredDevice')}).count
List all Microsoft Entra hybrid joined devices
Get-MgDevice -All | where {($_.TrustType -eq 'ServerAd') -and ($_.ProfileType -eq 'RegisteredDevice')}
List all Microsoft Entra hybrid joined devices with Pending state
Get-MgDevice -All | where {($_.TrustType -eq 'ServerAd') -and ($_.ProfileType -ne 'RegisteredDevice')}
List details of a single device:
- Enter the following command. Obtain the device ID locally on the device.
$Device = Get-MgDevice -DeviceId <ObjectId>
- Verify that
AccountEnabled
is set to True
.
$Device.AccountEnabled
FAQs
Microsoft Entra hybrid joined devices
These devices are joined to your on-premises Active Directory and registered with Microsoft Entra ID. Microsoft Entra hybrid joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable.
What is Microsoft Entra verified ID? ›
Microsoft Entra Verified ID Service.
An issuance and verification service in Azure and a REST API for W3C Verifiable Credentials that are signed with the did:web method. They enable identity owners to generate, present, and verify claims. This forms the basis of trust between users of the systems.
How to check hybrid join status? ›
Using the Microsoft Entra admin center
- Sign in to the Microsoft Entra admin center as at least a Cloud Device Administrator.
- Browse to Identity > Devices > All devices.
- If the Registered column says Pending, then Microsoft Entra hybrid join hasn't completed.
What is the difference between Microsoft Entra registered and joined? ›
Generally registered devices would be users personal devices, mobile phones or laptops etc.. they log into the device with their personal credentials. An Entra ID joined device is connected to your organization, and users can log into the devices with their work account.
How to join device to Entra ID? ›
Method 1: Enrolling a Device using Microsoft Entra ID Join
- Open Access to Work or School app. Click on Connect.
- Click on Join this device to Microsoft Entra ID.
- Enter the Microsoft Entra ID email and click Next.
- Once prompted, please enter your password and click Sign In.
- You will be shown a Terms of Use screen.
What is hybrid ID? ›
Microsoft's identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
Do I need an entra ID? ›
IT admins use Microsoft Entra ID to control access to apps and app resources, based on business requirements. For example, as an IT admin, you can use Microsoft Entra ID to require multifactor authentication when accessing important organizational resources.
What is Microsoft Entra ID in the authenticator app? ›
Microsoft Entra ID lets Authentication Policy Administrators choose which authentication methods can be used to sign in. They can enable Microsoft Authenticator in the Authentication methods policy to manage both the traditional push MFA method and the passwordless authentication method.
Is Microsoft Entra ID free? ›
Microsoft Entra ID Free is included with Microsoft cloud subscriptions, such as Microsoft Azure and Microsoft 365. Support multifactor authentication, unlimited SSO across any SaaS app, basic reports, and self-service password change for cloud users.
How to force hybrid join? ›
- Run Azure AD Connect.
- Under Tasks, select Configure device options.
- Click Next.
- Specify your Azure AD global administrator credentials.
- Select Configure Hybrid Azure AD join.
- Click Next.
- On the Device operating systems page, select the following options: Windows 10 or later domain-joined devices. ...
- Click Next.
It can take up to 30 minutes to synchronize the newly On-premise Active Directory Domain joined Windows 10 device to Azure AD. It might take another 30 minutes or more for the device to complete Hybrid Azure AD join after it is synchronized to Azure AD.
How do you fix a check hybrid system? ›
If the hybrid check light comes on while you're driving, pull over somewhere safe. Turn off your car and let it sit for 5-10 minutes. Then, try starting it back up again to reset it. If the light turns off, it may have been a system error and there isn't anything wrong with your car.
What is the new name for Microsoft Entra? ›
What's the new name for Azure AD? In 2023, Azure Active Directory (Azure AD) was renamed Microsoft Entra ID.
Is Entra ID SSO? ›
Single sign-on with Microsoft Entra ID
Enabling SSO with Microsoft Entra ID means users can sign in once to access their Microsoft apps and other cloud, SaaS, and on-premises apps with the same credential.
What is Microsoft Entra used for? ›
Microsoft Entra is a family of identity and network access products. It enables organizations to implement a Zero Trust security strategy and create a trust fabric that verifies identities, validates access conditions, checks permissions, encrypts connection channels, and monitors for compromise.
What is a benefit from using Microsoft Entra Hybrid Join? ›
Microsoft Entra joined devices help to simplify many different types of challenges in the hybrid enterprise environment. It helps ease Windows deployments, including for work-owned devices and allows access to apps and resources from any Windows device.
What does hybrid joined mean? ›
Hybrid Azure AD joined devices are devices that are joined to on-premises Active Directory (AD) and registered with Azure AD. These devices allow you to take advantage of both on-premises AD and Azure AD capabilities.
What is Microsoft Entra domain services? ›
Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services), part of Microsoft Entra, enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.
Is hybrid join required for Intune? ›
This enrollment option is available for domain-joined devices that you want to manage using Intune. Before enrolling, the devices must be hybrid Azure AD joined. Meaning, the devices are registered in on-premises Active Directory (AD), and registered in Azure AD.