Citrix DaaS

Hybrid Azure Active Directory joined


This feature is being rolled out in phases. It might not yet be activated for your account.

This article describes how to create Hybrid Azure Active Directory (AD) joined catalogs using Citrix DaaS.

Hybrid Azure AD joined machines use on-premises AD as the authentication provider. You can assign them to domain users or groups in on-premises AD. To enable Azure AD seamless SSO experience, you need to have the domain users synced to Azure AD.


  • Control plane: Citrix DaaS

  • VDA type: Single-session or multi-session OS VDA

  • VDA version: 2112 or later

  • Provisioning type: Machine Creation Services (MCS) Persistent and Non-persistent

  • Assignment type: Dedicated and pooled

  • Hosting platform: Any hypervisor or cloud service

  • Master VMs must not be joined to Azure AD


  • If Citrix Federated Authentication Service (FAS) is used, single sign-on is directed to on-premises AD rather than to Azure AD.


  • Master VMs can be on-premises AD joined or non-domain-joined. However, they must not be Azure AD joined. You can run dsregcmd /status in the master VMs to check the current status of hybrid Azure AD join and use dsregcmd /leave to unjoin.

  • Creating hybrid Azure Active Directory joined machines requires the Write userCertificate permission in the target domain. Make sure that you enter credentials of an administrator with that permission during catalog creation.

  • The hybrid Azure AD joining process is managed by Citrix. You need to disable autoWorkplaceJoin controlled by Windows in the master VMs as follows:

    1. Run gpedit.msc.
    2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration.
    3. Set Register domain joined computers as devices to Disabled.
  • Select the Organizational Unit (OU) that is configured to be synced with Azure AD when you create the machine identities.

Create hybrid Azure AD joined catalogs

You can create Azure AD joined catalogs by using the Full Configuration interface or PowerShell.

Use the Full Configuration interface

The following information is a supplement to the guidance in Create machine catalogs. To create hybrid Azure AD joined catalogs, follow the general guidance in that article, minding the details specific to hybrid Azure AD joined catalogs.

In the catalog creation wizard:

  • On the Machine Identities page, select Hybrid Azure Active Directory joined. The created machines are owned by an organization and are signed into with an Active Directory Domain Services account that belongs to that organization. They exist in the cloud and on-premises.


If you select Hybrid Azure Active Directory joined as the identity type, each machine in the catalog must have a corresponding AD computer account.

Use PowerShell

The following are PowerShell steps equivalent to operations in Full Configuration. For information on how to create a catalog using the Remote PowerShell SDK, see

The difference between on-premises AD joined catalogs and hybrid Azure AD joined ones lies in the creation of the identity pool and the machine accounts.

To create an identity pool along with the accounts for hybrid Azure AD joined catalogs:

New-AcctIdentityPool -AllowUnicode -IdentityType="HybridAzureAD" -Domain "corp.local" -IdentityPoolName "HybridAADJoinedCatalog" -NamingScheme "HybridAAD-VM-##" -NamingSchemeType "Numeric" -OU "CN=AADComputers,DC=corp,DC=local" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
New-AcctADAccount -IdentityPoolName "HybridAADJoinedCatalog" -Count 10 -ADUserName "corp\admin1" -ADPassword $password
Set-AcctAdAccountUserCert -IdentityPoolName "HybridAADJoinedCatalog" -All -ADUserName "corp\admin1" -ADPassword $password


$password is the matching password for an AD user account with Write Permissions.

All other commands used to create hybrid Azure AD joined catalogs are the same as for traditional on-premises AD joined catalogs.

View the status of the hybrid Azure AD join process

In the Full Configuration interface, the status of the hybrid Azure AD join process is visible when hybrid Azure AD joined machines in a delivery group are in a powered-on state. To view the status, use Search to identify those machines and then for each check Machine Identity on the Details tab in the lower pane. The following information can appear in Machine Identity:

  • Hybrid Azure AD joined

  • Not yet joined to Azure AD


  • You might experience delayed hybrid Azure AD join when the machine initially powers on. This is caused by the default machine identity sync interval (30 minutes of Azure AD Connect). The machine is in hybrid Azure AD joined state only after the machine identities are synced to Azure AD through Azure AD Connect.
  • If machines fail to be in hybrid Azure AD joined state, they are not registered with the Delivery Controller. Their registration status appears as Initialization.

Also, using the Full Configuration interface, you can learn why machines are unavailable. To do that, click a machine on the Search node, check Registration on the Details tab in the lower pane, and then read the tooltip for additional information.


If machines fail to be hybrid Azure AD joined, do the following:

  • Check if the machine account has been synced to Azure AD through the Microsoft Azure AD portal. If synced, Not yet joined to Azure AD appears, indicating pending registration status.

    To sync machine accounts to Azure AD, make sure:

    • The machine account is in the OU that is configured to be synced with Azure AD. Machine accounts without the userCertificate attribute are not synced to Azure AD even they are in the OU that is configured to be synced.

    • The attribute userCertificate populates in the machine account. Use Active Directory Explorer to view the attribute.

    • Azure AD Connect must have been synced at least once after the machine account is created. If not, manually run the Start-ADSyncSyncCycle -PolicyType Delta command in the PowerShell console of the Azure AD Connect machine to trigger an immediate sync.

  • Check if the Citrix managed device key pair for hybrid Azure AD join is correctly pushed to the machine by querying the value of DeviceKeyPairRestored under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix.

    Verify that the value is 1. If not, possible reasons are:

    • IdentityType of the identity pool associated with the provisioning scheme is not set to HybridAzureAD. This can be verified by Get-IdentityPool.

    • The machine is not provisioned using the same provisioning scheme of the machine catalog.

    • The machine is not joined to the local domain. Local domain joined is a prerequisite of the hybrid Azure AD join.

  • Check diagnostic messages by running the dsregcmd /status /debug command on the MCS-provisioned machine.

    If hybrid Azure AD join is successful, AzureAdJoined and DomainJoined are YES in the output of the command line.

    If not, refer to the Microsoft documentation to troubleshoot the issues:

Hybrid Azure Active Directory joined