This Weekend i was involved in a Migration where configuration of Device Registration in AzureAD/EntraID was required. Due to the complex Setup, we could not use Configure Device Registration with Azure AD Connect.
Alldough there exist a Documentation on how to Configure hybrid Azure Active Directory join manually it is missing a few important steps. That’s why i decidet to write this Blog Article.
If you want to know more about how Device registration works go ahead and read the documentaion.
A Domain Joined Client searches for a Service Connection Point (SCP) in the Configuration Partition.
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]
Manually create the Service Connection Point (SCP)
You can manually create the SCP by using ADSI Edit (adsiedit.msc)
Connect to the Configuration Partition
Browse to “Services” and create a new Object
Object class is “container”
Name the Object “Device Registration Configuration”
Nothing to add here
Create another new Object
Object class is “serviceConnectionPoint”
Name the Object “62a0ff2e-97b9-4513-943f-0d221bd30080”
Click on “More Attributes”
Now you need the TenantID of your Azure Acive Directory / EntraID.
You can find that in Identity Overview
Search for the Attribute “keywords” and add the two lines
You can test if the SCP has correctly created with this small PowerShell Scropt
$ConfigurationPartition = (Get-ADRootDSE).configurationNamingContext $scp = New-Object System.DirectoryServices.DirectoryEntry $scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,$ConfigurationPartition" $scp.Keywords