UserCertificate is not created in Hybrid Join process
Hey guys,
we are just in the middle of an AD migration – OnPrem to OnPrem. The former M365 tenant stays the same, but for sure the migrated computer objects and their corresponding physical devices have to execute the Hybrid Join again.
Unfortunately we have this odd situation where we are relying on a federated third party MFA and as a consequence of this, the users have to successfully execute the Hybrid Join in order to use their M365 apps.
In most cases this runs pretty well, but lately we had some issues based on the userCertificate topic.
In some cases we found two userCertificates on the new computer object and the Hybrid Join will work neither.
I tried removing one of them, once the first one, once the second one, but this does not improve the situation at all. Just removing both of them and trying to let the computer create a new userCertificate can help.
Here comes the point where I need help. I know in some blogs they say the Automatic-Device-Join task will create the userCertificate by probing the SCP. Actually I think it is the Device-Sync task, because we could see, when this one is disabled (which is probably done after a successful Hybrid Join) you will never receive a userCertificate.
My issue is that I have some few device, where the userCertificate will not be created anymore, even if both tasks are enabled and the device has connection to the corporate network.
Is there a further way how to force a device to create its userCertificate?
Hey guys,we are just in the middle of an AD migration – OnPrem to OnPrem. The former M365 tenant stays the same, but for sure the migrated computer objects and their corresponding physical devices have to execute the Hybrid Join again.Unfortunately we have this odd situation where we are relying on a federated third party MFA and as a consequence of this, the users have to successfully execute the Hybrid Join in order to use their M365 apps.In most cases this runs pretty well, but lately we had some issues based on the userCertificate topic.In some cases we found two userCertificates on the new computer object and the Hybrid Join will work neither.I tried removing one of them, once the first one, once the second one, but this does not improve the situation at all. Just removing both of them and trying to let the computer create a new userCertificate can help.Here comes the point where I need help. I know in some blogs they say the Automatic-Device-Join task will create the userCertificate by probing the SCP. Actually I think it is the Device-Sync task, because we could see, when this one is disabled (which is probably done after a successful Hybrid Join) you will never receive a userCertificate.My issue is that I have some few device, where the userCertificate will not be created anymore, even if both tasks are enabled and the device has connection to the corporate network.Is there a further way how to force a device to create its userCertificate? Read More