Hybrid Azure AD join is a situation when a device is joined to on-prem AD and your Azure AD at the same time.
Let's say your device fulfills all requirements to be able to make Hybrid AD join:
- device is enabled and joined to your on-prem AD
- device has generated a certificate and stored it in the UserCertificate AD attribute
- device is synchronized to your Azure AD (via the AD Connect tool)
But the result is device record in Azure with pending state i.e. Hybrid join wasn't finished from the client side.
On the client, Hybrid join is automatically invoked via scheduled task 'Automatic-Device-Join'
I was facing the situation when this scheduled task run but ended with an error, so I came up with a simple PowerShell function Reset-HybridADJoin that will basically reset Hybrid join status on the computer.
- un-join computer from AzureAD (using dsregcmd.exe)
- remove leftover certificates
- invoke rejoin (using sched. task 'Automatic-Device-Join')
- inform user about the result
Maybe it will help somebody...