Microsoft Entra hybrid join enables seamless integration between on-premises Active Directory (AD) and Microsoft Entra ID (formerly Azure AD), supporting scenarios like Conditional Access, Windows Hello for Business, and Enterprise State Roaming. However, issues can arise during the hybrid join process. This guide provides a structured approach to troubleshooting common problems.
Step 1: Verify Join Status
Run the following command in an elevated Command Prompt:
cmd
Copy
dsregcmd /status
Key Fields to Check
| Field | Expected Value | Description |
|---|---|---|
AzureAdJoined | YES | Device is joined to Microsoft Entra ID. |
DomainJoined | YES | Device is joined to on-premises AD. |
WorkplaceJoined | NO | Device should not be registered as a personal device. |
AzureAdPrt | YES | Primary Refresh Token (PRT) is active. |
🔹 If AzureAdJoined is NO, proceed to troubleshoot the join failure.
Step 2: Identify the Join Failure Phase
For Windows 10/11 1803+
Check the “Previous Registration” section in dsregcmd /status:
plaintext
Copy
Previous Registration : 2024-07-08 10:00:00 UTC Registration Type : sync Error Phase : join Client ErrorCode : 0x801c03f2 Server ErrorCode : DirectoryError
For Older Windows Versions
Check Event Viewer under:Applications and Services Logs > Microsoft > Windows > User Device Registration
- Event ID 304, 305, 307: Indicate join failures.
Step 3: Common Join Errors & Fixes
1️⃣ Precheck Phase Failures
❌ Possible Causes:
- No line of sight to a domain controller.
- Incorrect Service Connection Point (SCP) configuration.
✅ Solutions:
- Ensure the device is on the corporate network/VPN.
- Verify SCP is correctly configured in AD.
2️⃣ Discovery Phase Failures
❌ Error Codes:
DSREG_AUTOJOIN_ADCONFIG_READ_FAILED (0x801c001d)→ SCP misconfigured.DSREG_AUTOJOIN_DISC_FAILED (0x801c0021)→ Discovery endpoint unreachable.
✅ Solutions:
- Confirm
https://enterpriseregistration.windows.netis accessible. - Check proxy settings if outbound traffic is restricted.
3️⃣ Authentication Phase Failures (Federated Domains Only)
❌ Error Codes:
ERROR_ADAL_PROTOCOL_NOT_SUPPORTED (0xcaa90017)→ WS-Trust not enabled.ERROR_ADAL_WSTRUST_TOKEN_REQUEST_FAIL (0xcaa90006)→ Federation service error.
✅ Solutions:
- Ensure WS-Trust is enabled on the federation server.
- Check AD FS logs for authentication failures.
4️⃣ Join Phase Failures
❌ Error Codes:
DSREG_E_DIRECTORY_FAILURE (0x801c03f2)→ Sync issue with Microsoft Entra ID.NTE_BAD_KEYSET (0x80090016)→ TPM-related failure.
✅ Solutions:
- Wait for Microsoft Entra Connect sync to complete.
- Clear TPM (if applicable) and retry.
Step 4: Post-Join Authentication Issues
If users can’t sign in after hybrid join, check PRT status:
cmd
Copy
dsregcmd /status
🔹 If AzureAdPrt: NO, investigate:
- Network connectivity to
login.microsoftonline.com. - Proxy/firewall blocking authentication.
- Incorrect UPN (ensure it matches Microsoft Entra ID).
Step 5: Collect Logs for Microsoft Support
- Run diagnostics:powershellCopy.\start-auth.ps1 -vAuth -accepteula
- Reproduce the issue.
- Stop tracing and zip logs:powershellCopy.\stop-auth.ps1
Final Tips
✔ Use the Device Registration Troubleshooter Tool for automated diagnostics.
✔ Check Microsoft Docs for updated guidance.
✔ Ensure Windows updates are applied (minimum: Windows 10 1709+).
Need further help? Contact Microsoft Support with collected logs! 🚀
Summary: Hybrid join issues often stem from misconfigured SCP, network problems, or sync delays. Follow this guide to diagnose and resolve common errors efficiently.
Reference : https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current