Setup for Hybrid-Joined Domains

Use this guide if your environment includes on-premises Active Directory with hybrid-joined Windows devices and certificate/Kerberos requirements.

Setup Order

The Enterprise Passkey/HYPR integration steps are identical for both Entra-only and Hybrid environments. This guide focuses on the hybrid join process, which must be completed before Enterprise Passkey/HYPR integration:

1. Complete hybrid join setup
2. Then proceed to Administrator Configuration guide for common HYPR/Entra integration steps

Architecture and Flow

Visual Aid: Hybrid Azure AD Join Architecture

+-------------------+         +-------------------+         +-------------------+
| Windows 10/11 PC  | <-----> | On-Prem AD Domain | <-----> | Azure AD Connect  |
| (Domain-Joined)   |         | Controllers       |         | (Sync Server)     |
+-------------------+         +-------------------+         +-------------------+
        |                                                           |
        |                                                           |
        |                                                           v
        |                                                 +-------------------+
        |                                                 | Microsoft Entra   |
        |                                                 | (Azure AD)        |
        |                                                 +-------------------+
        |                                                           ^
        |                                                           |
        +-----------------------------------------------------------+

Flow:

• Devices join on-prem AD, then register with Entra ID via Azure AD Connect.
• Users can sign in with SSO and modern authentication (including Enterprise Passkey).

For more information, see Hybrid Join Overview.

Prerequisites

Prerequisite Checklist

[✔] Windows Server 2016/2019+ Domain Controllers
[✔] Windows 10/11 (1709+) clients
[✔] Azure AD Connect (latest)
[✔] Microsoft Entra ID tenant (custom domain verified)
[✔] Global Admin (Entra) & Enterprise Admin (AD) accounts
[✔] Network connectivity (AD <-> AAD Connect <-> Entra)
[ ] (Optional) Intune, ADCS

Additional requirements for Enterprise Passkey:

• AES256_HMAC_SHA1 enabled
• Entra AD Kerberos configured (see Install the Entra Kerberos PowerShell module)
• Domain Controller patch level requirements met (see Hybrid Join Prerequisites)

Set Up Hybrid Azure AD Join

Setup Flow

1. Add/verify custom domain in Entra
2. Install & configure Azure AD Connect
3. Configure Hybrid Azure AD Join in AAD Connect
4. Sync devices & verify registration

Add and Verify Your Custom Domain in Entra ID

Steps:

1. Go to Microsoft Entra admin center.
2. Navigate to Identity > Custom domain names.
3. Click Add custom domain, enter your domain (e.g., contoso.com).
4. Add the provided TXT record to your DNS host.
5. Click Verify after DNS propagates.

Reference: Add custom domain in Azure AD

Install and Configure Azure AD Connect

Steps:

1. Download Azure AD Connect.
2. Install on a domain-joined Windows Server.
3. Run the wizard:
   • Choose Express Settings for most environments.
   • Enter Entra Global Admin and AD Enterprise Admin credentials.
   • Select OUs containing users/devices to sync.
   • Enable Device Writeback if needed.

Reference: Install Azure AD Connect using express settings

Configure Hybrid Azure AD Join in Azure AD Connect

Steps:

1. Open Azure AD Connect, select Configure device options.
2. Choose Configure Hybrid Azure AD join.
3. Select Windows 10 or later domain-joined devices.
4. Select your AD forest and authentication service.
5. Enter Domain Admin credentials.
6. Complete the wizard.

Reference: Configure hybrid Azure AD join

Sync Devices and Verify Registration

Steps:

1. On the Azure AD Connect server, run:

   Start-ADSyncSyncCycle -PolicyType Delta

2. On a Windows client, run:

   dsregcmd /status

   • Look for AzureAdJoined : YES and DomainJoined : YES.
3. In the Entra portal, go to Identity > Devices and confirm devices show as Hybrid Azure AD joined.

Reference: Verify hybrid Azure AD join status

Reference: Microsoft: Topologies for Azure AD Connect

Control Center and Workstations (Hybrid)

After completing hybrid join setup , proceed to the Administrator Configuration guide for common HYPR/Entra integration steps:

• Configure HYPR Control Center™ for Enterprise Passkey and HYPR Passkey
• Entra ID app registration and API permissions
• Feature flags setup
• FIDO2/Enterprise Passkey authentication enablement
• Install and configure HYPR Passwordless for Windows™
• Enable FIDO2 security key sign-in on hybrid-joined devices
• Validate sign-in using a hybrid account (e.g., user@domain.com)

Summary Table

Step	Description	Key Links
1	Understand architecture	Hybrid Join Overview
2	Prerequisites	Hybrid Join Prerequisites
3	Set up hybrid join	Install AAD Connect, Configure Hybrid Join
	Multi-forest topologies	Plan Connect Topologies
	Troubleshooting	AAD Connect Troubleshooting

Additional References

• Configure hybrid Azure AD join
• Enable passwordless security key sign-in on Windows
• Install the Entra Kerberos PowerShell module

Next steps

• Continue with the User Experience guide
• See Troubleshooting for hybrid-specific issues