This post is simply a step by step guide to help you set up the Intune Connector for Active Directory (to use its proper name) otherwise known as the AD hybrid join connector for Windows Autopilot. Whatever you’re calling it, it’s the connector that we need to install on one of our servers to act as the go-between to perform the domain join part of a hybrid join when we’re using Autopilot. I was quite surprised when I realised I hadn’t already written this one up so here goes.
This is an image I stole with pride from Michael Niehaus’ post here – https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/
That post talks specifically about the scenario where you are making an Azure Active Directory hybrid-join from any location through a VPN, more specifically it illustrates the capability to generate an offline domain join blob and have the machine complete the domain join at a point when it can see the domain controller.
Either way, you are going to need this connector in place on a server on-premises and the machine account of the server will need to have delegated access to join devices to the domain. More so, they will land in a specific OU that you will create for this process. You can multiple of these if you wish to have some scale or resiliency.
There are no hardware specifications published for the server that hosts this role, it can really be anything. It does need to have clear line of sight to a domain controller (to make the join requests) and it will also need internet access. I’m not aware a formally published list of endpoints that this particular process will use, if I find one I will share. However as it is dealing with Intune it will need the ports and endpoint for that and as it’s using Azure AD it will need those relevant endpoints too. Depending on your desired configuration there may be more, I’ve linked the Microsoft docs page below for your reference.
Windows Autopilot requirements – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements
Setting up the required permissions
Firstly, you need to decide which server(s) will host the connector. Once we have the name of it we need to grant the machine account the relevant permissions to do everything that it needs to.
You’re going to need to be a Domain Administrator to perform this. Also, if you have multiple domains that you wish to perform joins to then you will need to do this in each domain.
- Log onto a DC or perform this remotely through the appropriate tools if you prefer. Then create an organisational unit (OU) into which the devices will be joined. The name is up to you but it will need to match up exactly what is in the Autopilot Deployment Profile. That means, if you decide to rename the OU then expect to see some failures with the connector.
Now right click the OU and select Delegate Control…
- Now select Next
- We need to select Add to go ahead and grant the required server some delegated access
- But first, make sure that you have the “Computers” object type includes
- Now input the server name, select Check Names, click OK.
- That should add the servers machine account into your list of selected users and groups (yes I know, it’s a machine)
- Now select the option to Create a custom task to delegate
- We now need to ensure the server/connector can only Create and Delete Computer objects in this OU.
Select Only the following objects in the folder
Select computer objects
Select Create selected objects in this folder
Select Delete selected objects in this folder
- Now select the specific permissions you wish to delegate.
Choose General, Property-specific, Creation/deletion of specific child objects
Choose Full Control
- That’s it, you’ve set all the necessary permissions for that server machine account to perform domain joins.
Next step is to simply install the connector and connect it up to your Intune tenant.
Install the Connector
Installing the connector is relatively simple assuming you have the right network access and permissions. Really it’s a download, install, sign-in approach then you’re done. The steps are here though.
- First, sign into the Microsoft Endpoint Manager admin center (aka.ms/memac)
Now browse to Devices, Enroll Devices.
- Select Intune Connector for Active Directory
- Now click on the add button to add a new connector.
Click the link highlighted which will download the connector setup file for you.
- Move or copy the file to the server which will host your connector. This is the one we granted delegated access to earlier.
- Select to agree to the license terms, if you do indeed agree to them.
- The install should take just a minute or two and once done you can click Configure Now.
- You will now be presented with the connector application, it’s really simple as you can see.
Click Sign In.
- When prompted enter the credentials of an Azure AD user (can be a sync’d user) who has Global Admin or Intune Admin rights.
Prior to June 2020 that user will have required an Intune license, as of June 2020 that’s not required if you don’t want it to be. (go here to set it)
- Once you have authenticated to Azure, you should see a completion.
If you are not seeing a completion you should check the server has internet access and the user account has the relevant privileges in Azure or Intune.
- Finally, you’ll need to wait about 10 minutes or so for the connector to appear back in the Admin Center. Back into the enroll devices blade you should see this.
That’s all. Don’t forget to test of course but look out for another post where I walk through that too.