Product documentation
Citrix DaaS
View PDF

Identity pool of Hybrid Azure Active Directory joined machine identity

November 25, 2024
Contributed by: 
C

Note:

Since July 2023, Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. In this document, any reference to Azure Active Directory, Azure AD, or AAD now refers to Microsoft Entra ID.

This article describes how to create identity pool of Hybrid Azure Active Directory joined machine identity using Citrix DaaS.

For information on requirements, limitations, and considerations, see Hybrid Azure Active Directory joined.

Use Studio

The following information is a supplement to the guidance in Create machine catalogs. To create hybrid Azure AD joined catalogs, follow the general guidance in that article, minding the details specific to hybrid Azure AD joined catalogs.

In the catalog creation wizard:

  1. On the Machine Identities page:

    1. Select identity type as Hybrid Azure Active Directory joined.

    2. Select an Active Directory account option:

      • Create new Active Directory accounts:
        • If you select Create new Active Directory accounts and do use an existing identity pool to create new accounts, then select a domain for those accounts and specify an account naming scheme.
        • If you select Create new Active Directory accounts and use an existing identity pool to create new accounts, then select an identity pool from the list.
      • Use existing Active Directory accounts: You can browse or import from CSV file, and reset password or specify the same password for all accounts.
    3. Click Next.

  2. On the Domain credentials page, select a service account or enter credentials manually. Hybrid Azure AD joined identity pool can also be associated with an on-premises AD service account. For information on service accounts, see On-premises Active Directory service accounts.

Use PowerShell

The following are PowerShell steps equivalent to operations in Studio.

The difference between on-premises AD joined catalogs and hybrid Azure AD joined ones lies in the creation of the identity pool and the machine accounts.

To create an identity pool along with the accounts for hybrid Azure AD joined catalogs:

New-AcctIdentityPool -AllowUnicode -IdentityType "HybridAzureAD" -Domain "corp.local" -IdentityPoolName "HybridAADJoinedCatalog" -NamingScheme "HybridAAD-VM-##" -NamingSchemeType "Numeric" -OU "CN=AADComputers,DC=corp,DC=local" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
New-AcctADAccount -IdentityPoolName "HybridAADJoinedCatalog" -Count 10 -ADUserName "corp\admin1" -ADPassword $password
Set-AcctAdAccountUserCert -IdentityPoolName "HybridAADJoinedCatalog" -All -ADUserName "corp\admin1" -ADPassword $password
<!--NeedCopy-->

Note:

$password is the matching password for an AD user account with Write Permissions.

All other commands used to create hybrid Azure AD joined catalogs are the same as for traditional on-premises AD joined catalogs.

You can also associate an on-premises service account with an MCS created machine catalog by associating an on-premises service account with the identity pool. You can create an identity pool or update an existing identity pool to associate it with a service account.

For example: To create a new identity pool and associate it with a service account, run the following:

New-AcctIdentityPool -AllowUnicode -IdentityType "HybridAzureAD" -Domain "corp.local" -IdentityPoolName "HybridAADJoinedCatalog" -NamingScheme "HybridAAD-VM-##" -NamingSchemeType "Numeric" -OU "CN=AADComputers,DC=corp,DC=local" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05" -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->

For example: To update an existing identity pool to associate it with a service account, run the following:

$identityPoolUid = (Get-ProvScheme -ProvisioningSchemeName "MyProvScheme").IdentityPoolUid

Set-AcctIdentityPool -IdentityPoolUid $identityPoolUid -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->

Note:

The $serviceAccountUid must be a valid UID of an on-premises Active Directory service account.

View the status of the hybrid Azure AD join process

In Studio, the status of the hybrid Azure AD join process is visible when hybrid Azure AD joined machines in a delivery group are in a powered-on state. To view the status, use Search to identify those machines and then for each check Machine Identity on the Details tab in the lower pane. The following information can appear in Machine Identity:

  • Hybrid Azure AD joined
  • Not yet joined to Azure AD

Note:

  • You might experience delayed hybrid Azure AD join when the machine initially powers on. This is caused by the default machine identity sync interval (30 minutes of Azure AD Connect). The machine is in hybrid Azure AD joined state only after the machine identities are synced to Azure AD through Azure AD Connect.
  • If machines fail to be in hybrid Azure AD joined state, they are not registered with the Delivery Controller. Their registration status appears as Initialization.

Also, using Studio, you can learn why machines are unavailable. To do that, click a machine on the Search node, check Registration on the Details tab in the lower pane, and then read the tooltip for additional information.

Troubleshoot

If machines fail to be hybrid Azure AD joined, do the following:

  • Check if the machine account has been synced to Azure AD through the Microsoft Azure AD portal. If synced, Not yet joined to Azure AD appears, indicating pending registration status.

    To sync machine accounts to Azure AD, make sure:

    • The machine account is in the OU that is configured to be synced with Azure AD. Machine accounts without the userCertificate attribute are not synced to Azure AD even they are in the OU that is configured to be synced.
    • The attribute userCertificate populates in the machine account. Use Active Directory Explorer to view the attribute.
    • Azure AD Connect must have been synced at least once after the machine account is created. If not, manually run the Start-ADSyncSyncCycle -PolicyType Delta command in the PowerShell console of the Azure AD Connect machine to trigger an immediate sync.

  • Check if the Citrix managed device key pair for hybrid Azure AD join is correctly pushed to the machine by querying the value of DeviceKeyPairRestored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix.

    Verify that the value is 1. If not, possible reasons are:

    • IdentityType of the identity pool associated with the provisioning scheme is not set to HybridAzureAD. You can verify this by running Get-AcctIdentityPool.
    • The machine is not provisioned using the same provisioning scheme of the machine catalog.
    • The machine is not joined to the local domain. Local domain joined is a prerequisite of the hybrid Azure AD join.

  • Check diagnostic messages by running the dsregcmd /status /debug command on the MCS-provisioned machine.

    • If hybrid Azure AD join is successful, AzureAdJoined and DomainJoined are YES in the output of the command line.
    • If not, refer to the Microsoft documentation to troubleshoot the issues: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current.

    • If you get the error message Server Message: The user certificate is not found on the device with id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, then run the following PowerShell command to repair the user certificate:

       Repair-AcctIdentity -IdentityAccountName TEST\VM1 -Target UserCertificate
 <!--NeedCopy-->

For more information about the user certificate issue, see CTX566696.

Identity pool of Hybrid Azure Active Directory joined machine identity
November 25, 2024
Contributed by: 
C
November 25, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.