In a multi-forest Active Directory configuration, the service connection point must exist in all forests containing domain-joined computers. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).
You can use the Get-ADRoot DSE cmdlet to retrieve the configuration naming context of your forest. Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "service Connection Point") $de SCP. Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service.
Please note that one rule to explicitly issue the rule for users is necessary.
In the rules below, a first rule identifying user vs. add( Type = " Value = "User" ); @Rule Name = "Capture UPN when Account Type is User and issue the Issuer ID" c1:[ Type == " ] && c2:[ Type == " Value == "User" ] =.
For more details, see Introduction to device management in Azure Active Directory.
If you have an on-premises Active Directory environment and you want to join your domain-joined devices to Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. Before you start configuring hybrid Azure AD joined devices in your environment, you should familiarize yourself with the supported scenarios and the constraints.
If your organization is planning to use Seamless SSO, then the following URLs need to be reachable from the computers inside your organization and they must also be added to the user's local intranet zone: If your organization uses managed (non-federated) setup with on-premises AD and does not use ADFS to federate with Azure AD, then hybrid Azure AD join on Windows 10 relies on the computer objects in AD to be sync'ed to Azure AD.