7.1.1 How Automatic Hybrid Azure AD Join Works

When a Windows device logs in to the local AD domain, the device registration with Azure AD starts. The device is synchronized by using AD Connect from the local AD to Azure AD.

Using Azure Active Directory Authentication Libraries (ADAL) based authentication, hybrid Azure AD allows SSO to enterprise applications through Kerberos Ticket-Granting Ticket (TGT), and OAuth 2.0 tokens used for Office 365 applications.

The following diagram explains how automatic registration of Windows devices to Azure AD works:

AD triggers a group policy to the Windows 10 client for initiating the device registration.
The device queries AD for the Azure AD tenant information. The Azure AD Connect application gathers the tenant information stored in AD.
An OAuth code authentication request is sent to Azure AD, and Azure AD redirects the request to Access Manager Identity Server.
The device reaches Identity Server’s Integrated Windows Authentication (IWA) STS endpoint with a device account as an identity by using Windows integrated authentication.
Identity Server uses Kerberos to validate the device identity with the AD domain.
After successful authentication, Identity Server sends a token with claim details.
The token is sent to Azure AD. Azure AD validates federation settings with Access Manager. After successful validation, it sends the token to the client for device registration.
The device creates a Private/Public key pair and sends the certificate-signing request along with the token received from Azure AD to Azure Device Registration Service (DRS).
Azure DRS creates a certificate and a device object with its certificate thumbprint and returns the certificate to the client. The client stores the certificate and uses it for the next interaction with Azure AD or Office 365 services.

For more information, see How To: Plan your hybrid Azure Active Directory join implementation.

Figure 7-1 Hybrid Azure AD Join Automatic Device Registration Flow