Citrix DaaS™

Identity pool of Microsoft Entra hybrid joined machine identity

September 9, 2025

Contributed by:

This article describes how to create identity pool of Microsoft Entra hybrid joined machine identity using Citrix DaaS.

For information on requirements, limitations, and considerations, see Microsoft Entra hybrid joined.

Use Studio

The following information is a supplement to the guidance in Create machine catalogs. To create Microsoft Entra hybrid joined catalogs, follow the general guidance in that article, minding the details specific to Microsoft Entra hybrid joined catalogs.

In the catalog creation wizard:

On the Machine Identities page:
1. Select the identity type as Microsoft Entra hybrid joined.
2. Select an Active Directory account option:
  - Create new Active Directory accounts:
    - If you select Create new Active Directory accounts and do use an existing identity pool to create new accounts, then select a domain for those accounts and specify an account naming scheme.
    - If you select Create new Active Directory accounts and use an existing identity pool to create new accounts, then select an identity pool from the list.
  - Use existing Active Directory accounts: You can browse or import from a CSV file, and reset the password or specify the same password for all accounts.
3. Click Next.
On the Domain credentials page, select a service account or enter credentials manually. Microsoft Entra hybrid joined identity pool can also be associated with an on-premises AD service account. For information on service accounts, see On-premises Active Directory service accounts.

Use PowerShell

The following PowerShell steps are equivalent to operations in Studio.

The difference between on-premises AD joined catalogs and Microsoft Entra hybrid joined ones lies in the creation of the identity pool and the machine accounts.

To create an identity pool along with the accounts for Microsoft Entra hybrid joined catalogs:

New-AcctIdentityPool -AllowUnicode -IdentityType "HybridAzureAD" -Domain "corp.local" -IdentityPoolName "HybridAADJoinedCatalog" -NamingScheme "HybridAAD-VM-##" -NamingSchemeType "Numeric" -OU "CN=AADComputers,DC=corp,DC=local" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
New-AcctADAccount -IdentityPoolName "HybridAADJoinedCatalog" -Count 10 -ADUserName "corp\admin1" -ADPassword $password
Set-AcctAdAccountUserCert -IdentityPoolName "HybridAADJoinedCatalog" -All -ADUserName "corp\admin1" -ADPassword $password
<!--NeedCopy-->

Note:

The $password is the matching password for an AD user account with Write Permissions.

All other commands used to create Microsoft Entra hybrid joined catalogs are the same as for traditional on-premises AD joined catalogs.

You can also associate an on-premises service account with an MCS created machine catalog by associating an on-premises service account with the identity pool. You can create an identity pool or update an existing identity pool to associate it with a service account.

For example: To create a new identity pool and associate it with a service account, run the following:

New-AcctIdentityPool -AllowUnicode -IdentityType "HybridAzureAD" -Domain "corp.local" -IdentityPoolName "HybridAADJoinedCatalog" -NamingScheme "HybridAAD-VM-##" -NamingSchemeType "Numeric" -OU "CN=AADComputers,DC=corp,DC=local" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05" -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->

For example: To update an existing identity pool to associate it with a service account, run the following:

$identityPoolUid = (Get-ProvScheme -ProvisioningSchemeName "MyProvScheme").IdentityPoolUid

Set-AcctIdentityPool -IdentityPoolUid $identityPoolUid -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->

Note:

The $serviceAccountUid must be a valid UID of an on-premises Active Directory service account.

You can also create a Hybrid Microsoft Entra catalog using a prepared image. For the complete set of PowerShell commands to create image definition, image version, and prepared image version spec, see:

Azure virtualization environment: Use PowerShell.
VMware virtualization environment: Use PowerShell

After creating the prepared image version spec, create the identity pool and machine catalog. For example:

New-AcctIdentityPool -IdentityPoolName "mypool" -NamingScheme ACC##  -NamingSchemeType "Numeric"  -ZoneUid $zoneuid -Domain $domainName -OU "OU=HAAD Computers,DC=haad,DC=link" -IdentityType "HybridAzureAD"

New-ProvScheme -ProvisioningSchemeName <name> -ImageVersionSpecUid <preparedVersionSpecUid> -HostingUnitUid <hostingUnitUid> -IdentityPoolUid <IdentityPoolUid> [-CleanOnBoot] -NetworkMapping @{"0"="XDHyp:\HostingUnits\<hostingunitName>\<region>.region\virtualprivatecloud.folder\<resourcegroupName>.resourcegroup\<vnetName>.virtualprivatecloud\<sunNetName>.network"} -ServiceOffering <serviceofferingPath> [-MachineProfile <machineProfilePath>] [-CustomProperties <>]
<!--NeedCopy-->

View the status of the hybrid Microsoft Entra join process

In Studio, the status of the hybrid Microsoft Entra join process is visible when Microsoft Entra hybrid joined machines in a delivery group are in a powered-on state. To view the status, use Search to identify those machines and then for each check Machine Identity on the Details tab in the lower pane. The following information can appear in Machine Identity:

Microsoft Entra hybrid joined
Not yet joined to Microsoft Entra ID

Note:

You might experience delayed hybrid Microsoft Entra join when the machine initially powers on. This is caused by the default machine identity sync interval (30 minutes of Microsoft Entra Connect). The machine is in Microsoft Entra hybrid joined state only after the machine identities are synced to Microsoft Entra ID through Microsoft Entra Connect.

If machines fail to be in Microsoft Entra hybrid joined state, they are not registered with the Delivery Controller. Their registration status appears as Initialization.

Also, using Studio, you can learn why machines are unavailable. To do that, click a machine on the Search node, check Registration on the Details tab in the lower pane, and then read the tooltip for additional information.

Troubleshoot

If machines fail to be Microsoft Entra hybrid joined, do the following:

Check if the machine account has been synced to Microsoft Entra ID through the Microsoft Microsoft Entra portal. If synced, Not yet joined to Microsoft Entra ID appears, indicating pending registration status.

To sync machine accounts to Microsoft Entra ID, make sure:
- The machine account is in the OU that is configured to be synced with Microsoft Entra ID. Machine accounts without the userCertificate attribute are not synced to Microsoft Entra ID even they are in the OU that is configured to be synced.
- The attribute userCertificate populates in the machine account. Use Active Directory Explorer to view the attribute.
- Microsoft Entra Connect must have been synced at least once after the machine account is created. If not, manually run the Start-ADSyncSyncCycle -PolicyType Delta command in the PowerShell console of the Microsoft Entra Connect machine to trigger an immediate sync.
Check if the Citrix managed device key pair for hybrid Microsoft Entra join is correctly pushed to the machine by querying the value of DeviceKeyPairRestored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix.

Verify that the value is 1. If not, then possible reasons are:
- IdentityType of the identity pool associated with the provisioning scheme is not set to HybridAzureAD. You can verify this by running Get-AcctIdentityPool.
- The machine is not provisioned using the same provisioning scheme of the machine catalog.
- The machine is not joined to the local domain. Local domain joined is a prerequisite of the hybrid Microsoft Entra join.
Check diagnostic messages by running the dsregcmd /status /debug command on the MCS-provisioned machine.
- If hybrid Microsoft Entra join is successful, AzureAdJoined and DomainJoined are YES in the output of the command line.
- If not, refer to the Microsoft documentation to troubleshoot the issues: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current.
- If you get the error message Server Message: The user certificate is not found on the device with id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, then run the following PowerShell command to repair the user certificate:
```
 Repair-AcctIdentity -IdentityAccountName TEST\VM1 -Target UserCertificate
 
```

For more information about the user certificate issue, see CTX566696.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Identity pool of Microsoft Entra hybrid joined machine identity

September 9, 2025

Contributed by:

September 9, 2025

Contributed by:

Identity pool of Microsoft Entra hybrid joined machine identity

Use Studio

Use PowerShell

View the status of the hybrid Microsoft Entra join process

Troubleshoot

In this article