Retrieving all Hybrid AAD joined Devices

When starting a pilot for Hybrid Azure AD join, it can be useful to keep track of the number of devices that currently are already Hybrid Azure AD joined.

The most straight-forward way to do so is within the GUI of the Azure AD portal:

However, when used for reporting or other reasons, a scripted solution often is a better fit. The below PowerShell snippet returns all devices that are:

  • Known in Azure AD
  • Joined in a local domain
  • Running Windows 10

A requirement to run this script is being connected to Azure AD by using Connect-AzureAD for instance.

Get-AzureADDevice -All $true |Where-Object {($_.DeviceTrustType -eq "ServerAD") -and ($_.DeviceOSType -eq "Windows") -and ($_.DeviceOSVersion -like "10*")}

Self-Service Password reset for Windows

Azure AD has the capability to enable end-users to perform a self-managed reset of the password, in case one does not remember it anymore.

Configuration is fairly easy, and can be done both through Intune and by adding a registry key. Detailed steps on how to do so can be found on .

When configuring this on my home tenant, I received the following error:

All usual suspects were covered: the correct licenses were assigned, password writeback was configured and showed up in the portal as working, so no issues there. When opening the SSPR section in the Azure Portal, the following error was shown:

Digging into the Event Viewer on the Azure AD Connect Server revealed the error: The password could not be updated because the management agent credentials were denied access.

Following best practices from Microsoft, the account that was configured in the Azure AD Connect management agent did not have elevated permissions, and therefore did not have the possiblity to reset passwords.

Assigning delegated permissions to reset the password of the OU containing the synced users, solved the issue.