Manually create Device Registration ServiceConnectionPoint (SCP)
Hi All,
This Weekend i was involved in a Migration where configuration of Device Registration in AzureAD/EntraID was required. Due to the complex Setup, we could not use Configure Device Registration with Azure AD Connect.
Alldough there exist a Documentation on how to Configure hybrid Azure Active Directory join manually it is missing a few important steps. That’s why i decidet to write this Blog Article.
If you want to know more about how Device registration works go ahead and read the documentaion.
Overview
A Domain Joined Client searches for a Service Connection Point (SCP) in the Configuration Partition.
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]
Manually create the Service Connection Point (SCP)
You can manually create the SCP by using ADSI Edit (adsiedit.msc)
Connect to the Configuration Partition
Browse to “Services” and create a new Object
Object class is “container”
Name the Object “Device Registration Configuration”
Nothing to add here
Create another new Object
Object class is “serviceConnectionPoint”
Name the Object “62a0ff2e-97b9-4513-943f-0d221bd30080”
Click on “More Attributes”
Now you need the TenantID of your Azure Acive Directory / EntraID.
You can find that in Identity Overview
Search for the Attribute “keywords” and add the two lines
azureADid:46bbad84-29f0-4e03-8d34-f6841a5071ad
azureADName:icewolf.ch
Click “Finish”
Testing
You can test if the SCP has correctly created with this small PowerShell Scropt
$ConfigurationPartition = (Get-ADRootDSE).configurationNamingContext
$scp = New-Object System.DirectoryServices.DirectoryEntry
$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,$ConfigurationPartition"
$scp.Keywords
Regards
Andres Bohren