Hybrid Azure AD join does not explain how userCertificate gets into Active Directory

[Weishaupt]

With the two scenarios Hybrid Azure AD joined in Managed environments and Hybrid Azure AD joined in Federated environments there is no documentation as to how the userCertificate attribute in the Active Directory is populated upon successful Azure DRS communication.

If my conceptual understanding is correct, than after the step "Install device cert in computer Personal store" there should be a communication to Active Directory to populate the userCertificate property of the computer object.

Otherwise please explain how the userCertificate property is populated, as there is no Writeback of this property from AAD to AD via AAD Connect.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 8cb105c7-df5f-ad21-d5c0-32f6e48ab5fc
• Version Independent ID: a6baa965-434d-0392-0edd-3cf6850467a4
• Content: How Azure AD device registration works - Microsoft Entra
• Content Source: articles/active-directory/devices/device-registration-how-it-works.md
• Service: active-directory
• Sub-service: devices
• GitHub Login: @MicrosoftGuyJFlo
• Microsoft Alias: joflore

[ManoharLakkoju-MSFT]

@Weishaupt Thanks for your feedback! We will investigate and update as appropriate.

[MicrosoftGuyJFlo]

label:"awaiting-product-team-response"

[jjstreic]

The userCertificate population is described in step C of the "Hybrid Azure AD joined in Managed environments" https://learn.microsoft.com/en-us/azure/active-directory/devices/device-registration-how-it-works#hybrid-azure-ad-joined-in-managed-environments

C) For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task writes the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP.

A couple of notes: 1) This occurs regardless of managed/federated authentication 2) This certificate is only used for initial device authentication to AAD to acquire a token for the Azure Device Registration Service. After this use it is never used again unless the device needs to re-register with Azure Device Registration Service. 3) This certificate is not visible via the Certificate MMC snapin

[albert-widjaja]

Thank you @jjstreic for sharing, I assume userCertificate AD attribute can be safely deleted or cleared to avoid the device being synched to the Azure AD?

            $paramSetADComputer = @{
                Identity = 'targetComputerName'
                Clear    = 'userCertificate'
                Verbose  = $true
            }
            Set-ADComputer @paramSetADComputer

[MicrosoftGuyJFlo]

please-close

[Weishaupt]

@jjstreic Thanks for the explanation. I was under the impression, that the device certificate and the self-signed cert is indeed the same, which is obviously not the case.

Is the self-signed certificate stored permanently on the client, or just until the Azure DRS returns a device certificate?

[Weishaupt]

@albert-widjaja No the device certificate cannot be cleared. The whole point of Hybrid Azure AD Join is maintaining a device identity in Entra ID (formally Azure AD). Clearing the certificate will remove the device from the sync and thus from Entra ID. This will break Conditional Access policies that require Hybrid Joined devices as a Grant constraint and will probably also lead to frequent sign-in screens for the user.

[albert-widjaja]

Hi @Weishaupt , thank you for the response. So if the device is still on pending status how do I remove it from the Azure AD /Entra ID portal?

[Weishaupt]

@albert-widjaja here is a learn article dedicated to the issue.