Manually create Device Registration ServiceConnectionPoint (SCP)

Hi All,

This Weekend i was involved in a Migration where configuration of Device Registration in AzureAD/EntraID was required. Due to the complex Setup, we could not use Configure Device Registration with Azure AD Connect.

Alldough there exist a Documentation on how to Configure hybrid Azure Active Directory join manually it is missing a few important steps. That’s why i decidet to write this Blog Article.

If you want to know more about how Device registration works go ahead and read the documentaion.

Overview

A Domain Joined Client searches for a Service Connection Point (SCP) in the Configuration Partition.

CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]

Manually create the Service Connection Point (SCP)

You can manually create the SCP by using ADSI Edit (adsiedit.msc)

Connect to the Configuration Partition

Browse to “Services” and create a new Object

Object class is “container”

Name the Object “Device Registration Configuration”

Nothing to add here

Create another new Object

Object class is “serviceConnectionPoint”

Name the Object “62a0ff2e-97b9-4513-943f-0d221bd30080”

Click on “More Attributes”

Now you need the TenantID of your Azure Acive Directory / EntraID.

You can find that in Identity Overview

Search for the Attribute “keywords” and add the two lines

azureADid:46bbad84-29f0-4e03-8d34-f6841a5071ad
azureADName:icewolf.ch

Click “Finish”

Testing

You can test if the SCP has correctly created with this small PowerShell Scropt

$ConfigurationPartition = (Get-ADRootDSE).configurationNamingContext
$scp = New-Object System.DirectoryServices.DirectoryEntry
$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,$ConfigurationPartition"
$scp.Keywords

Regards
Andres Bohren