Configuring Hybrid Join for Azure AD to Point to Specific OU


Hi All,

Was wanting to turn on hybrid join for azure ad. Is there a way to point that directly to one specific OU. So we don’t contaminate all of the on prem ad. If anyone can point me to the correct article I would be greatly appreciate.

Posted by Matthew Salisbury in HTMD FB Group

hybrid - HTMD Forum - Welcome to the world of Device Management! This is community build by Device Management Admins for Device Management Admins❤️ Ask your questions!! We are here to help you! - Configuring Hybrid Join for Azure AD to Point to Specific OU

Answers ( 3 )


    Replied by Joe Bowers

    create an OU, azure ad connect, sync only that OU, drop pc’s in. I’d put block In heritence on that OU too.

    Replied by Sean Kinnee

    Yes you can filter to a single OU.

    Replied by Doug Johnson

    You can select particular OUs to sync to Entra ID. I wouldn’t consider this “contaminating” on prem AD though. These computer objects are still on prem AD computer objects.

    Replied by Muzzammil Mujawar

    Yes possible and always first step is to go with specific OU


    Replied by Sanjay Mittal

    Microsoft Docs on Hybrid Azure AD Join: This official documentation provides comprehensive steps and considerations for setting up hybrid Azure AD join.
    Azure AD Connect Configuration: This guide helps with the specifics of configuring Azure AD Connect for device options and SCP.
    Specifying OUs in Azure AD Connect: This article specifically addresses how to filter OUs during the configuration process.

    Replied by Matthew Salisbury

    Sanjay Mittal Thank-you Sanjay I appreciate the direction!

    Replied by Joakim Hove-Ytreeide

    Google azure ad connect. Download app and setup with your OU. And enable OU when needed.


    More Details Create AAD Dynamic Groups based on Domain Join Type Hybrid Azure AD and Azure AD

    Replied by Mike Leach

    What do you mean by “contaminate”? There is no downside to Hybrid Join. The users never know it happens and it exposes more information to IT when computers are not on a local connection.

    Replied by Matthew Salisbury

    Mike Leach have approximately 2k pcs on a business that runs 24/7. I want to test hybrid join on one ou and a few pcs, before I potentially crash every pc within the company. I find it difficult that I have to explain this to fellow IT people. I’m prior military I test, test and re-test. I just don’t jump in head first into something. And there are many downsides to hybrid join. Please google and you will see people’s frustrations with it.

    Replied by Mike Leach

    Matthew Salisbury Many downsides? I’ve joined thousands and thousands to Hybrid Join for my clients over the years. Never seen any major issues. Did it 2 days ago for my current client. You made it sound like that was your permanent state and not a test. So, I was trying to help. Nothing wrong with testing first. I didn’t understand what you meant by “contaminate”. But, yes, you can limit it in Entra ID Connect to specific OUs.

Leave an answer

Sorry, you do not have permission to answer to this question .