--- title: Configuring PingOne as the federated IdP description: Set up Microsoft Entra hybrid join to allow users to access Active Directory and Entra ID resources. component: pingone page_id: pingone:use_cases:p1_microsoft_hybrid_join_tasks canonical_url: https://docs.pingidentity.com/pingone/use_cases/p1_microsoft_hybrid_join_tasks.html revdate: July 29, 2025 section_ids: p1-connect-users-microsoft365: User authentication p1-create-attribute: Creating an attribute in PingOne steps: Steps p1-add-ldap-gateway: Adding an LDAP gateway to connect PingOne with AD steps-2: Steps example: Example p1-add-auth-policy: Adding an authentication policy steps-3: Steps p1-add-microsoft-app: Adding a Microsoft 365 application p1-hybrid-join-custom-domains: Custom domains steps-4: Steps result: Result: result-2: Result: result-3: Result: p1-update-microsoft-app-user-auth: Updating the Microsoft 365 application steps-5: Steps example-scenarios: Example scenarios p1-assign-policy-to-microsoft-app: Assigning the authentication policy to the Microsoft 365 application steps-6: Steps results: Results p1-enable-hybrid-join: Hybrid join before-you-begin: Before you begin p1-create-attributes: Creating attributes and a population for hybrid joined devices steps-7: Steps p1-enable-kerberos: Enabling Kerberos authentication steps-8: Steps p1-add-user-type: Adding a user type for hybrid joined devices steps-9: Steps example-2: Example p1-update-microsoft-app: Updating the Microsoft 365 application steps-10: Steps p1-update-federated-idp: Updating the federated IdP setting before-you-begin-2: Before you begin steps-11: Steps p1-allow-join-devices: Allowing users to join their devices to Entra ID steps-12: Steps p1-configure-entra-connect: Configuring Entra Connect Sync and verifying the SCP before-you-begin-3: Before you begin steps-13: Steps result-4: Result: result-5: Result p1-disable-fallback-sync: (Optional) Disabling fallback sync in Windows steps-14: Steps p1-hybrid-join-validation: Validation result-6: Result: example-3: Example: troubleshooting: Troubleshooting: result-7: Result: result-8: Result: troubleshooting-2: Troubleshooting whats-next: What's next --- # Configuring PingOne as the federated IdP You're ready to configure Microsoft Entra hybrid join with PingOne as the federated identity provider (IdP) after: * Reviewing the overview in [Setting up PingOne as the federated IdP for Microsoft Entra ID](p1_microsoft_entra_hybrid_join.html) * Completing the prerequisites in [Before you begin configuring Microsoft Entra hybrid join with PingOne as the federated IdP](p1_microsoft_entra_hybrid_join_prerequisites.html) To set up PingOne as the federated IdP, you'll configure PingOne to fulfill two use cases: 1. [User authentication](#p1-connect-users-microsoft365): Set up PingOne as the federated IdP to connect users to sign on to Microsoft 365. 2. [Hybrid join](#p1-enable-hybrid-join): After setting up PingOne as the federated IdP, enable PingOne to process hybrid join requests to sync devices from on-premise Active Directory (AD) to Entra ID if your organization plans to transition their AD infrastructure to the cloud with Entra ID. ## User authentication Set up PingOne as the federated IdP for Entra ID so that your users can authenticate with PingOne when attempting to use single sign-on (SSO) to access resources like Microsoft 365. ### Creating an attribute in PingOne By default, Entra Connect Sync uses the `userPrincipalName` attribute from AD as the source of the Entra ID username. In most deployments, the `userPrincipalName` attribute value looks like an email address and might match the value of the email address (`mail` attribute) in the PingOne user record. However, in some deployments, the attributes don't match. If the values don't match, PingOne can't match a user record to the username token from Entra ID. To ensure PingOne can locate the user record, create a custom user attribute in PingOne to store the `userPrincipalName` attribute value instead of relying on the `mail` attribute as the username. #### Steps 1. In the PingOne admin console, go to **Directory > User Attributes** and click the **[icon: plus, set=fa]**icon. 2. Select **Declared** for the attribute type and click **Next**. 3. Enter or edit the following: 1. **Name**: A unique identifier for the attribute, such as `ms-upn`. 2. **Display Name** (optional): The name of the attribute as you want it to display in the UI. 3. **Description** (optional): A brief description of the attribute. 4. Select the **Enforce unique values** checkbox and click **Confirm** in the **Enable Enforce Unique Values** modal. 5. Verify the **Allow multiple values** checkbox is cleared and **No Validation** is selected in the list. 4. Click **Save**. ### Adding an LDAP gateway to connect PingOne with AD Add an LDAP gateway and optionally enable Kerberos authentication to authenticate AD users through SSO. #### Steps 1. In the PingOne admin console, [add an LDAP gateway](../integrations/p1_add_ldap_gateway.html) for Microsoft 365 and select **Microsoft Active Directory** for **LDAP Directory Type**. 2. To enable Kerberos authentication for a seamless SSO experience: 1. Select the **Enable Kerberos Authentication** checkbox. 2. Enter the **Service Account User Principal Name** and **Service Account Password**. 3. Click **Save**. 4. [Configure the service account](../integrations/p1_creating_spns.html) with the appropriate `servicePrincipalName` to enable Kerberos authentication. Learn more in [SPN reference](../integrations/p1_spn_reference.html). 5. [Configure end user browsers](../integrations/p1_configuring_end_user_browsers.html) with the required trusted URIs to support Kerberos authentication. 3. Add a user type for cloud users: 1. On the **Lookup** tab of the LDAP gateway, click the **[icon: plus, set=fa]**icon. 2. Click **Use default values** to pre-populate fields with values PingOne needs when connecting to your on-premise AD. 3. Configure the following: > **Collapse: LDAP gateway configuration** > > | Setting | Description | > | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | **User Type** | Enter a name for the user type, such as `cloud user`. | > | **Select Password Authority** | Select **LDAP** in the list. | > | **Enable password changes from PingOne** | Select to enable the checkbox. | > | **User Search LDAP Base DN** | Enter the distinguished name (DN) of the organizational unit (OU) where users synced to Entra ID are located. Use a specific DN location where only the users are located, instead of a broad location that includes both users and devices.#### Example`OU=Employees,OU=People,DC=pingdemo,DC=ping-eng,DC=com`You can find the DN in ADSI Edit:1) Right-click the **CN=Computers** folder under your computer name. > > 2) In the **CN=Computers Properties** modal, locate the **distinguishedName** attribute and copy it. > > ![A screenshot of ADSI Edit with the distinguishedName attribute selected.](_images/p1-entra-hybrid-join-distinguishedName.png) | > | **User Link Attributes** | Leave the pre-populated default attributes. | > | **Enable migration of new users upon first authentication** | Select to enable the checkbox. | > | **LDAP Filter** | Enter the following to limit the filter to search for AD user records only:``` > (&(objectClass=user)(objectCategory=person)(|(sAMAccountName=${identifier})(mail=${identifier})(userPrincipalName=${identifier}))) > ``` | > | **Population** | Select a population in the list. | > | **Update PingOne user attributes as users sign on** | Select to enable the checkbox. | > | **Map Attributes** | 1. Leave the pre-populated default mappings. > > The default source of External ID is the mS-DS-ConsistencyGuid attribute because Entra Connect Sync uses the mS-DS-ConsistencyGuid attribute as the sourceAnchor attribute to identify synced users by default. If you selected another AD user attribute as the sourceAnchor attribute in Installing Entra Connect Sync (step 11), select that AD user attribute as the source of External ID in this step. > > 2. Add a mapping for the custom attribute you created in [Creating an attribute in PingOne](#p1-create-attribute). > > 1. Click **[icon: plus, set=fa]Add Mapping**. > > 2. In the **PingOne User Profile Attribute** list, select the custom attribute you previously created to store `userPrincipalName` from AD user objects. > > 3. In the **LDAP Attribute** field, enter `userPrincipalName`.You can find more information about the required attribute mappings in [User type for cloud users](p1_microsoft_hybrid_join_troubleshooting.html#p1-cloud-user-type). | 4. Click **Save**. ### Adding an authentication policy Create an authentication policy with a **Login** step to verify AD user identities through LDAP authentication. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can optionally use a DaVinci flow policy instead of an authentication policy to orchestrate the authentication experience. If your users access Microsoft 365 desktop applications, such as Excel for Windows, consider opting in to the Legacy Browser and WebView Compatible Rendering Mode early access feature in PingOne. Learn more in [Managing opt-ins for early access features in PingOne](../settings/p1_managing_opt_ins_for_ea_features.html). | #### Steps 1. In the PingOne admin console, go to **Authentication > Authentication** and click **[icon: plus, set=fa]Add Policy**. 2. Enter a **Policy Name**, such as `Authentication policy for Microsoft 365`. 3. In the **Step Type** list, select **Login**. 4. In the **Migrate Gateways Users upon First Authentication** section, click **[icon: plus, set=fa]Add Gateway User Type**. 5. Select the **Gateway** and **User Type** you previously created in [Adding an LDAP gateway to connect PingOne with AD](#p1-add-ldap-gateway). 6. [Configure the recovery and registration settings](../authentication/p1_add_login_auth_step.html) as needed. 7. To add multi-factor authentication (MFA): 1. Click **[icon: plus, set=fa]Add step**. 2. Select the desired step type. 3. Configure the step as required. 8. Click **Save**. ### Adding a Microsoft 365 application Add a Microsoft 365 application and run the PowerShell cmdlets to allow your users to sign on using PingOne. If you're using a custom domain for configuring hybrid join, refer to the following section to determine whether you can use your custom domain in the PowerShell cmdlets to set up PingOne as the federated IdP. Hybrid join doesn't support using a custom domain if mutual TLS (mTLS) is enabled for the domain. #### Custom domains PingOne uses the Cloudflare infrastructure to handle traffic routing for custom domains created after March 17, 2025, but custom domains created before this date use the AWS CloudFront infrastructure. Hybrid join using Entra ID only supports custom domains using the following infrastructure: * CloudFront * Cloudflare only if mTLS is disabled Hybrid join doesn't support custom domains using the Cloudflare infrastructure if mTLS is enabled. The following types of custom domains are supported: | Custom domain infrastructure | Supported? | | ----------------------------- | ---------- | | CloudFront | Yes | | Cloudflare with mTLS disabled | Yes | | Cloudflare with mTLS enabled | No | To configure PingOne as the federated IdP using the PowerShell cmdlets in PingOne, you must: 1. Determine whether your custom domain traffic is routed through CloudFront or Cloudflare infrastructure. 2. For custom domains with traffic routed through Cloudflare, determine whether the domain has mTLS enabled. 3. Use either the custom domain or PingOne domain for the PowerShell cmdlets depending on which configuration your custom domain uses, as shown in the following diagram: ![A diagram showing how to determine whether to use your custom domain or the PingOne domain in the PowerShell cmdlets.](_images/p1-entra-hybrid-join-custom-domain-flowchart.png) * For custom domains using the CloudFront infrastructure, you can choose whether to use your custom domain or the PingOne domain. * For custom domains using the Cloudflare infrastructure: * If mTLS is disabled, you can choose whether to use your custom domain or the PingOne domain. * If mTLS is enabled, you can't use your custom domain in the PowerShell cmdlets and must use the PingOne domain. #### Steps 1. In the PingOne admin console, [add a Microsoft 365 application](../applications/p1_adding_microsoft_365.html). 2. In the **Map Attributes** step: 1. Map the **ImmutableID** and **Subject** attributes and sync them to Entra ID using the following advanced expression: ``` #string.uuidAsBase64Guid(user.externalId,null) ``` 2. Map the **UPN** attribute by selecting the `userPrincipalName` attribute you previously created in the **PingOne Mappings** list. 3. If the authentication policy you previously created includes MFA, [configure an authentication claim](../applications/p1_configure_authentication_claim_microsoft_365.html) for the Microsoft 365 application to communicate to Entra ID that PingOne will handle MFA. 4. If you're using a custom domain, determine whether your domain uses the CloudFront or Cloudflare infrastructure by opening a terminal window and choosing either of the following: * Run `nslookup `. #### Result: The following is an example response for a custom domain using the CloudFront infrastructure: > **Collapse: CloudFront routing example** > > ``` > Server: 10.247.247.54 > Address: 10.247.247.54#53 > > Non-authoritative answer: > canonical name = 08b31479-e3a6-43a7-900c-68fb8f4dc738.edge1.pingone.com. > 08b31479-e3a6-43a7-900c-68fb8f4dc738.edge1.pingone.com canonical name = d3j27p1mzr08wt.cloudfront.net. > Name: d3j27p1mzr08wt.cloudfront.net > Address: 18.64.183.63 > Name: d3j27p1mzr08wt.cloudfront.net > Address: 18.64.183.104 > Name: d3j27p1mzr08wt.cloudfront.net > Address: 18.64.183.109 > Name: d3j27p1mzr08wt.cloudfront.net > Address: 18.64.183.116 > ``` The following is an example response for a custom domain using the Cloudflare infrastructure: > **Collapse: Cloudflare routing example** > > ``` > Server: 10.247.247.54 > Address: 10.247.247.54#53 > > Non-authoritative answer: > canonical name = a97e2bbf-6680-12b6-a2cf-97aa0b4a4227.edge1.pingone.com. > a97e2bbf-6680-12b6-a2cf-97aa0b4a4227.edge1.pingone.com canonical name = 1238af3f-0d5b-4cc8-8460-8a35a26efc5d.ping-ccd.com. > Name: 1238af3f-0d5b-4cc8-8460-8a35a26efc5d.ping-ccd.com > Address: 130.250.137.31 > ``` * Run `dig `. #### Result: The following is an example response for a custom domain using the CloudFront infrastructure: > **Collapse: CloudFront routing example** > > ``` > ; <<>> DiG 9.10.6 <<>> > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33676 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4000 > ;; QUESTION SECTION: > ;. IN A > > ;; ANSWER SECTION: > . 284 IN CNAME 08b31479-e3a6-43a7-900c-68fb8f4dc738.edge1.pingone.com. > 08b31479-e3a6-43a7-900c-68ab8f4dc738.edge1.pingone.com. 14471 IN CNAME d3j27p1mzr08wt.cloudfront.net. > d3j27p1mzr08wt.cloudfront.net. 44 IN A 18.64.183.63 > d3j27p1mzr08wt.cloudfront.net. 44 IN A 18.64.183.104 > d3j27p1mzr08wt.cloudfront.net. 44 IN A 18.64.183.116 > d3j27p1mzr08wt.cloudfront.net. 44 IN A 18.64.183.109 > > ;; Query time: 4 msec > ;; SERVER: 10.247.247.54#53(10.247.247.54) > ;; WHEN: Tue Mar 04 14:41:08 PST 2025 > ;; MSG SIZE rcvd: 248 > ``` The following is an example response for a custom domain using the Cloudflare infrastructure: > **Collapse: Cloudflare routing example** > > ``` > ; <<>> DiG 9.10.6 <<>> > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21291 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4000 > ;; QUESTION SECTION: > ;. IN A > > ;; ANSWER SECTION: > . 300 IN CNAME a97e2bbf-6680-12b6-a2cf-97aa0b4a4227.edge1.pingone.com. > a97e2bbf-6680-12b6-a2cf-97aa0b4a4227.edge1.pingone.com. 2501 IN CNAME 1238af3f-0d5b-4cc8-8460-8a35a26efc5d.ping-ccd.com. > 1238af3f-0d5b-4cc8-8460-8a35a26efc5d.ping-ccd.com. 300 IN A 130.250.137.31 > > ;; Query time: 36 msec > ;; SERVER: 10.247.247.54#53(10.247.247.54) > ;; WHEN: Tue Mar 04 14:47:09 PST 2025 > ;; MSG SIZE rcvd: 211 > ``` 5. If your custom domain uses the Cloudflare infrastructure, determine whether mTLS is enabled using the `/customDomains/{{customDomainId}}` API endpoint. Learn more in [Custom domains](https://developer.pingidentity.com/pingone-api/platform/custom-domains.html) in the PingOne API documentation. 6. On the **Overview** tab, copy the PowerShell cmdlets to set up PingOne as the federated IdP, depending on whether you're using a custom domain and how the domain is configured. Learn more in [Custom domains](#p1-hybrid-join-custom-domains). * If you aren't using a custom domain, if you're using a custom domain with the CloudFront infrastructure, or if you're using a custom domain with the Cloudflare infrastructure with mTLS disabled, copy the default PowerShell cmdlets. * If you're using a custom domain with the Cloudflare infrastructure with mTLS enabled, click **Show PingOne Domain** to change the PowerShell cmdlets to use the PingOne domain and copy the cmdlets. ![A screen capture of the Microsoft 365 application Overview tab with Show PingOne Domain circled.](_images/p1-entra-hybrid-join-powershell-domain.png) 7. Open PowerShell and select the **Run as Administrator** option. 8. In PowerShell, paste and run the cmdlets. | | | | - | ---------------------------------------------------------------------------- | | | You might be prompted to sign on with your Entra account to run the cmdlets. | #### Result: Your custom domain now has the **Federated** checkmark in the Entra admin center with PingOne as the federated IdP. ### Updating the Microsoft 365 application After adding the Microsoft 365 application, you'll need to update it by: * Enabling advanced configuration. * Specifying the attribute to match a PingOne user record to the username from security token service (STS) requests. Refer to the example scenarios for guidance on which attribute to select, depending on your configuration. #### Steps 1. In the PingOne admin console, go to **Applications > Applications** and select the Microsoft 365 application. 2. On the **Overview** tab, click **Enable Advanced Configuration** and click **Enable** in the confirmation modal. 3. On the **Configuration** tab, click the **Pencil** icon ([icon: pencil, set=fa]). 4. In the **Attribute to identify users from username tokens** list, select the attribute for PingOne to use when matching the username from the STS request to an existing user reocrd. Use the example scenarios in the following section for guidance on which attribute to select. 5. Click **Save**. #### Example scenarios The following scenarios describe example configurations and which attribute to select for PingOne to match to the username token: > **Collapse: Example 1: You use from AD as the Entra ID username, and the and attributes always share the same value.** > > | Attribute configurations | Username attribute selection | > | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | You set up the following attribute configurations:- Kept the default mapping for **User Principal Name** to `userPrincipalName` in [Installing Microsoft Entra Connect Sync](p1_microsoft_entra_hybrid_join_prerequisites.html#p1-install-entra-connect-sync-upn) > > - Kept the default mapping for `mail` attribute from AD to **Email Address** in PingOne when [adding an LDAP gateway user type for cloud users](#p1-add-ldap-gateway) > > - Didn't create a custom attribute to store `userPrincipalName` in PingOne | In this example configuration, you can select either **None** or **Email Address** if the `userPrincipalName` and `mail` attributes always share the same value.Selecting either has the same outcome because the username in the username token is the `userPrincipalName` for the user, and PingOne can locate an existing user profile by matching the username from the token to the email address record. | > **Collapse: Example 2: You use from AD as the Entra ID username and store from AD in PingOne.** > > | Attribute configurations | Username attribute selection | > | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | You set up the following attribute configurations:- Kept the default mapping for **User Principal Name** to `userPrincipalName` in [Installing Microsoft Entra Connect Sync](p1_microsoft_entra_hybrid_join_prerequisites.html#p1-install-entra-connect-sync) > > - Kept the default mapping for `mail` attribute from AD to **Email Address** in PingOne when [adding an LDAP gateway user type for cloud users](#p1-add-ldap-gateway) > > - [Created a custom attribute](#p1-create-attribute) to store `userPrincipalName` in PingOne and mapped the custom attribute when [adding an LDAP gateway user type for cloud users](#p1-add-ldap-gateway) | * If the `userPrincipalName` and `mail` attributes always share the same value, you can select **None**. You can alternatively select **Email Address** or the custom attribute you created to store `userPrincipalName` in PingOne. > > Selecting any of these has the same outcome because the username in the username token is the `userPrincipalName` for the user, and PingOne can locate an existing user profile by matching the username from the token to the selected attribute. > > * If the `userPrincipalName` and `mail` attributes don't always share the same value, select the custom attribute you created to store `userPrincipalName` in PingOne. PingOne can locate an existing user profile by matching the username from the token to the custom attribute. > > If you don't select the custom attribute you created, PingOne won't be able to locate the user record for any user whose `userPrincipalName` and `mail` attributes don't share the same value. This can lead to failures, such as PingOne not being able to obtain a primary refresh token (PRT) from Entra ID. | > **Collapse: Example 3: You use an alternative AD user attribute as the Entra ID username.** > > | Attribute configurations | Username attribute selection | > | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | You set **User Principal Name** to a different AD user attribute (not `userPrincipalName`) to use as the Entra ID username.In this scenario, you must:1) Create a custom user attribute in PingOne to store the AD attribute you set for **User Principal Name**. Learn more in [Creating an attribute in PingOne](#p1-create-attribute). > > 2) Map the attribute from AD to the custom attribute in PingOne in the LDAP gateway user type for your cloud users. Learn more in [Adding an LDAP gateway to connect PingOne with AD](#p1-add-ldap-gateway). | Select the custom attribute you created to store the AD attribute you set for **User Principal Name** in Entra. This enables PingOne to locate an existing user profile by matching the username in the username token to this attribute.If you don't select the custom attribute you created, PingOne won't be able to locate the user record for any user whose `userPrincipalName` and `mail` attributes don't share the same value. This can lead to failures, such as PingOne not being able to obtain a PRT from Entra ID. | ### Assigning the authentication policy to the Microsoft 365 application Assign the authentication policy you created in [Adding an authentication policy](#p1-add-auth-policy) to the Microsoft 365 application to set how PingOne authenticates users. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can optionally use a DaVinci flow policy instead of an authentication policy to orchestrate the authentication experience. If your users access Microsoft 365 desktop applications, such as Excel for Windows, consider opting in to the Legacy Browser and WebView Compatible Rendering Mode early access feature in PingOne. Learn more in [Managing opt-ins for early access features in PingOne](../settings/p1_managing_opt_ins_for_ea_features.html). | #### Steps 1. In the PingOne admin console, go to **Applications > Applications** and click the Microsoft 365 application. 2. On the **Policies** tab, click **[icon: plus, set=fa]Add Policies**. 3. On the **PingOne Policies** tab, select the authentication policy you previously created. 4. Click **Save**. ### Results A user can now sign on to Microsoft 365: * In a browser at : 1. The user enters a username in the format of `@domain.tld`, where `domain.tld` is your verified custom domain. 2. Microsoft redirects the browser to PingOne for authentication. * Using a Microsoft 365 desktop application, such as Excel for Windows: 1. The user enters their username. 2. The desktop application opens a sign-on modal coming from PingOne. * Using Kerberos authentication: * If Kerberos authentication is enabled with the required SPN and browser configuration, the user isn't presented with a sign-on form, and no interaction is required unless your authentication policy uses MFA. * If Kerberos authentication isn't enabled, the user is presented with a sign-on form from PingOne and must enter their AD username and password to complete the LDAP authentication process to your AD. ## Hybrid join Set up PingOne as the federated IdP and Entra Connect Sync to process hybrid join requests using the Kerberos protocol to sync devices from AD to Entra ID. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Device authentication using hybrid join is available as a limited access release for customers with a PingOne for Workforce Plus or Premium license in the North America (US) geography only and isn't covered under standard Support service level agreements (SLAs). You can open support cases for feedback, bug reports, configuration questions, or other inquiries related, but resolution times for these cases will vary. These cases often require collaboration with our Engineering and Product teams, so response times might exceed the usual SLAs for your Support package.Topics for this feature are draft documentation for limited access purposes only and aren't complete or final. | ### Before you begin Before you begin enabling hybrid join, you must complete the steps in [User authentication](#p1-connect-users-microsoft365) to set up PingOne as the federated IdP for Entra ID. ### Creating attributes and a population for hybrid joined devices Create an attribute to indicate hybrid joined devices and to store the `objectSid` for the devices and add a population where hybrid joined device records will be created. #### Steps 1. Add an attribute to indicate hybrid joined devices: 1. In the PingOne admin console, go to **Directory > User Attributes** and click the **[icon: plus, set=fa]**icon. 2. Select **Declared** for the attribute type and click **Next**. 3. Enter or edit the following: 1. **Name**: A unique identifier for the attribute. 2. **Display Name** (optional): The name of the attribute as you want it to display in the UI. 3. **Description** (optional): A brief description of the attribute. 4. Leave the **Enforce unique values** checkbox cleared. 5. Verify the **Allow multiple values** checkbox is cleared and **No Validation** is selected in the list. 4. Click **Save**. 2. Add an attribute to store `objectSid` for hybrid joined devices: 1. Click the **[icon: plus, set=fa]**icon. 2. Select **Declared** for attribute type and click **Next**. 3. Enter or edit the following: 1. **Name**: A unique identifier for the attribute. 2. **Display Name** (optional): The name of the attribute as you want it to display in the user interface. 3. **Description** (optional): A brief description of the attribute. 4. Leave the **Enforce unique values** checkbox cleared. 5. Verify the **Allow multiple values** checkbox is cleared and **No Validation** is selected in the list. 4. Click **Save**. 3. Add a population where hybrid joined device records will be created: 1. Go to **Directory > Populations** and click the **[icon: plus, set=fa]**icon. 2. Enter a **Population Name**. 3. (Optional) Enter a **Description**. 4. Leave **PingOne** as the **Identity Provider** (default). 5. Leave the **Default Population** cleared so that this population isn't the default. 6. Click **Save**. ### Enabling Kerberos authentication When the hybrid join process begins, the device sends a request security token (RST) message with a Kerberos token directly to PingOne as the federated IdP. The request occurs as part of an STS flow to obtain a security token and without a browser involved. If PingOne as the federated IdP is able to validate the Kerberos token, it creates an assertion and sends it to the device in an RST response (RSTR) message. To allow PingOne to validate the Kerberos token, you must enable Kerberos authentication in the LDAP gateway for Microsoft 365. #### Steps 1. In the PingOne admin console, go to **Integrations > Gateways**. 2. Select the LDAP gateway you previously created in [Adding an LDAP gateway to connect PingOne with AD](#p1-add-ldap-gateway). 3. Enable Kerberos authentication for browser SSO so that PingOne can process hybrid join requests from devices: 1. On the **Connection** tab, click **Edit**. 2. Select the **Enable Kerberos Authentication** checkbox. 3. Enter the **Service Account User Principal Name** and **Service Account Password**. 4. Click **Save**. 5. [Configure the service account](../integrations/p1_creating_spns.html) with the appropriate `servicePrincipalName` to enable Kerberos authentication. Learn more in [SPN reference](../integrations/p1_spn_reference.html). 6. [Configure end user browsers](../integrations/p1_configuring_end_user_browsers.html) with the required trusted URIs to support Kerberos authentication. If you don't want users to authenticate using Kerberos authentication, skip this step. When browsers aren't configured to support Kerberos authentication, users are presented with a sign-on form. 7. Click **Save**. ### Adding a user type for hybrid joined devices Add a user type to your LDAP gateway for hybrid joined devices to allow PingOne to store the value from AD and send it to Microsoft 365. #### Steps 1. In the PingOne admin console, go to **Integrations > Gateways** and select the LDAP gateway you previously created for Microsoft 365. 2. On the **Lookup** tab, click the **[icon: plus, set=fa]**icon. 3. Click **Use default values** to pre-populate fields with values PingOne needs when connecting to your on-premise AD. 4. Configure the following: > **Collapse: LDAP gateway configuration** > > | Setting | Description | > | ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | **User Type** | Enter a name for the user type, such as `hybrid joined devices`. | > | **Select Password Authority** | Select **LDAP** in the list. | > | **Enable password changes from PingOne** | Clear the checkbox to disable this option. | > | **User Search LDAP Base DN** | Enter the DN of the OU where devices to be joined to Entra are located. Use a specific DN location where only the devices are located, instead of a broad location that includes both users and devices.#### Example`OU=Computers,DC=pingdemo,DC=ping-eng,DC=com` | > | **User Link Attributes** | Leave the pre-populated default attributes. | > | **Enable migration of new users upon first authentication** | Select to enable the checkbox. | > | **LDAP Filter** | Enter the following to limit the filter to search for AD device records only:``` > (&(objectClass=computer)(sAMAccountName=${identifier})) > ``` | > | **Population** | Select the population you previously created for hybrid joined devices in the list. | > | **Update PingOne user attributes as users sign on** | Clear the checkbox to disable this option. | > | **Map Attributes** | 1. Click the **Delete** icon ([icon: trash, set=fa]) for all attributes except **Username** and **External ID**. > > The default source of External ID is the mS-DS-ConsistencyGuid attribute. If Entra Connect Sync doesn't populate the synced AD device objects with the mS-DS-ConsistencyGuid value, update the source of External ID with another AD attribute that can be used to identify synced devices, such as objectGUID. Make sure to use the same source for Username. > > 2. For **Username**, use the same attribute used for **External ID**. > > 3. Map the **Nickname** attribute: > > 1. Click **[icon: plus, set=fa]Add Mapping**. > > 2. In the **PingOne User Profile Attribute** list, select **Nickname**. > > 3. in the **LDAP Attribute** field, enter `sAMAccountName`. > > 4. Map the `objectSid` attribute: > > 1. Click **[icon: plus, set=fa]Add Mapping**. > > 2. In the **PingOne User Profile Attribute** list, select the custom attribute you previously created to store `objectSid` for hybrid joined devices. > > 3. In the **LDAP Attribute** field, enter `objectSid`.You can find more information about the required attribute mappings in [User type for hybrid joined devices](p1_microsoft_hybrid_join_troubleshooting.html#p1-hybrid-join-user-type). | 5. Click **Save**. ### Updating the Microsoft 365 application Update the Microsoft 365 application you previously created by: * Configuring hybrid join support * Adding the attribute you created for hybrid joined devices * Enabling Kerberos authentication to allow users to use SSO #### Steps 1. In the PingOne admin console, go to **Applications > Applications** and select the Microsoft 365 application. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you didn't already in [Updating the Microsoft 365 application](#p1-update-microsoft-app-user-auth), click **Enable Advanced Configuration** on the **Overview** tab and click **Enable** in the confirmation modal. | 2. On the **Configuration** tab, click [icon: pencil, set=fa]and edit the following: 1. **Subject NameIdentifier Format**: Either leave the default **`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`** selected or select **`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`** in the list. 2. **STS Token Type**: Select **SAML 1.1 for Office 365** in the list. 3. **Attribute to indicate Entra hybrid joined devices**: Select the attribute you previously created for hybrid joined devices in the list. 4. **Show WS-Trust 1.3 Metadata Exchange URL in Powershell cmdlets**: Select to enable the checkbox. 5. **Enable Kerberos Authentication**: 1. Select to enable the checkbox. 2. Click **[icon: plus, set=fa]Add Gateway User Type**. 3. For **Gateway**, select the LDAP gateway you created for Microsoft 365 in the list. 4. For **User Type**, select the user type you previously created for cloud users. This allows PingOne to process RSTs with Kerberos tokens that desktop applications send for users. 5. Click **[icon: plus, set=fa]Add Gateway User Type**. 6. For **Gateway**, select the LDAP gateway you created for Microsoft 365 in the list. 7. For **User Type**, select the user type you previously created for hybrid joined devices. This allows PingOne to process RSTs sent by devices with Kerberos tokens for devices. 6. Click **Save**. 3. On the **Attribute Mappings** tab, click [icon: pencil, set=fa]and add three new attributes: > **Collapse: Microsoft 365 application attributes** > > | Attribute | Steps | > | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | `accounttype` | 1. Click **[icon: plus, set=fa]Add**. > > 2. In the **Attributes** field, enter `accounttype`. > > 3. Click the **More Options** (⋮) icon and click **Update NameFormat**. > > 4. In the **Update NameFormat** modal, select **http\://schemas.microsoft.com/ws/2012/01** in the **NameFormat** list. > > 5. Click **Update**. > > 6. Click the **Gear** icon ([icon: gear, set=fa]) to open the **Advanced Expression** modal. > > 7. Enter `"DJ"` (including the quotation marks) for domain-joined devices in the **Expression** modal. > > 8. Click **Save**. | > | `onpremobjectguid` | 1) Click **[icon: plus, set=fa]Add**. > > 2) In the **Attributes** field, enter `onpremobjectguid`. > > 3) Click the **More Options** (⋮) icon and click **Update NameFormat**. > > 4) In the **Update NameFormat** modal, select **http\://schemas.microsoft.com/identity/claims** in the **NameFormat** list. > > 5) Click **Update**. > > 6) Click **[icon: gear, set=fa]**to open the **Advanced Expression** modal. > > 7) Enter `#string.uuidAsBase64Guid(user.externalId,null)` in the **Expression** modal. > > 8) Click **Save**. | > | `primarysid` | 1. Click **[icon: plus, set=fa]Add**. > > 2. In the **Attributes** field, enter `primarysid`. > > 3. In the **PingOne Mappings** list, select the attribute you previously created in [Creating an attribute in PingOne](#p1-create-attribute) to store `objectSid` for hybrid joined devices. > > 4. Click the **More Options** (⋮) icon and click **Update NameFormat**. > > 5. In the **Update NameFormat** modal, select **http\://schemas.microsoft.com/ws/2008/06/identity/claims** in the **NameFormat** list. > > 6. Click **Update**. | You can find more information about the required attribute mappings in [Attribute mappings for the Microsoft 365 application](p1_microsoft_hybrid_join_troubleshooting.html#p1-microsoft-365-mappings). 4. On the **Edit Attribute Mappings** panel, click **Save**. ### Updating the federated IdP setting Entra hybrid join uses the WS-Trust 1.3 STS where devices send WS-Trust 1.3-compliant RSTs and expect to receive WS-Trust 1.3-compliant RSTRs. After enabling the **Show WS-Trust 1.3 Metadata Exchange URL in PowerShell cmdlets** setting in the [Microsoft 365 application](#p1-add-microsoft-app), you must re-run the PowerShell cmdlets to update Entra ID to use the new WS-Trust 1.3 metadata exchange URL. #### Before you begin If you're using a custom domain for configuring hybrid join, refer to [Custom domains](#p1-hybrid-join-custom-domains) and [Adding a Microsoft 365 application](#p1-add-microsoft-app) (steps 4 and 5) to determine whether you can use your custom domain in the PowerShell cmdlets to update existing federation settings. Hybrid join doesn't support using a custom domain if mTLS is enabled for the domain. #### Steps 1. In the PingOne admin console, go to **Applications > Applications** and click the Microsoft 365 application. 2. On the **Overview** tab, copy the PowerShell cmdlets to change existing identity federation settings, depending on whether you're using a custom domain and how the domain is configured (steps 4 and 5 in [Adding a Microsoft 365 application](#p1-add-microsoft-app)): * If you aren't using a custom domain, if you're using a custom domain with the CloudFront infrastructure, or if you're using a custom domain with the Cloudflare infrastructure with mTLS disabled, copy the default PowerShell cmdlets. * If you're using a custom domain with the Cloudflare infrastructure with mTLS enabled, click **Show PingOne Domain** to change the PowerShell cmdlets to use the PingOne domain and copy the cmdlets. ![A screen capture of the Microsoft 365 application Overview tab with Show PingOne Domain circled.](_images/p1-entra-hybrid-join-powershell-domain.png) 3. Open PowerShell and select the **Run as Administrator** option. 4. In PowerShell, paste and run the cmdlets. ### Allowing users to join their devices to Entra ID Enable users to register their own devices with Entra ID as Entra joined devices. Learn more in [Configure device settings](https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities#configure-device-settings) in the Entra documentation. #### Steps 1. In the Entra admin center, go to **Devices > Device settings**. 2. For **Users may join devices to Microsoft Entra**, select **All**. ![A screenshot of the Users may join devices to Microsoft Entra setting set to All in the Entra admin center."](_images/p1-entra-hybrid-join-setting.png) ### Configuring Entra Connect Sync and verifying the SCP Configure Entra Connect Sync and verify the service connection point (SCP) is properly configured to allow devices to be joined to your on-premise AD and Entra ID. A device isn't eligible for hybrid join until Entra Connect Sync syncs the device to Entra ID. #### Before you begin Before you can complete the configuration steps in this section, you must [download and install Entra Connect Sync](p1_microsoft_entra_hybrid_join_prerequisites.html). #### Steps 1. Sign on to the computer on which Entra Connect Sync is installed. 2. Open the Entra Connect Sync application and click **Configure**. 3. In the **Tasks** step, click **Configure device options** and click **Next**. 4. In the **Overview** step, click **Next**. 5. In the **Connect to Microsoft Entra ID** step, enter your administrator credentials for your Entra tenant. 6. In the **Device options** step, select **Configure Hybrid Microsoft Entra join** and click **Next**. 7. In the **Device systems** step, select the **Windows 10 or later domain-joined devices** checkbox and click **Next**. 8. In the **SCP configuration** step: 1. For **Forest**, select the checkbox for your AD domain. 2. For **Authentication Service**, select the applicable PingOne domain in the list. 3. For **Enterprise Admin**, click **Add**. #### Result: A **Windows Security Enterprise Admin Credentials** sign-on modal opens. 4. Enter the applicable AD account credentials for an enterprise administrator and click **OK**. 5. In the **SCP configuration** step, click **Next**. ![A screen capture of the Entra Connect Sync SCP configuration step.](_images/p1-entra-hybrid-join-connect-sync-scp-config.png) 9. In the **Federation** step, click **Next**. 10. In the **Configure** step, click **Configure** and click **Exit** when the installation completes. 11. Confirm your Entra tenant and verified custom domain display in AD: 1. Open **ADSI Edit** and go to **Action > Connect to**. 2. In the **Connection Settings** modal: 1. For **Connection Point**, click **Select a well known Naming Context**. 2. Select **Configuration** in the list. ![A screen capture of the ADSI Edit Connection Settings modal with Configuration selected as well known naming context.](_images/p1-entra-hybrid-join-adsi-edit.png) 3. Click **OK** to close the **Connection Settings** modal. 3. Go to **Configuration > CN=Configuration > CN=Services > CN=Device Registration Configuration**. 4. Right-click **CN=62a0ff2e-97b9-4513-943f-0d221bd30080** and click **Properties**. 5. In the **Properties** modal, locate **keywords** and click **Edit**. 6. In the **Multi-valued String Editor** modal, verify the following values exist and update them as needed: * `azureADId:` * `azureADName:` 7. Click **OK** to close the **Multi-valued String Editor** modal. 8. Click **Apply** and **OK** to close the **Properties** modal. 9. Close **ADSI Edit**. #### Result Devices joined to the domain found in the specified AD OU are now eligible for hybrid join after the next sync completes. They don't typically display in the Entra admin center on the **All devices** page until after the next sync, but they might appear with a **Registered** status of `Pending` at this point. ### (Optional) Disabling fallback sync in Windows Recent Windows operating systems come with a fallback sync mechanism if a hybrid join request fails at the federated IdP. Consider disabling fallback sync on the device for which you want to verify the hybrid join process is configured properly. Disabling fallback sync allows PingOne as the federated IdP to handle hybrid join and any other scenarios that use the STS flow. You can disable or re-enable the **Fallback to Sync-Join** setting by editing the DWORD in the Windows Registry. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Modifying the registry should be done with caution. Incorrect changes can cause serious operating system problems or corruption and can prevent your system from booting. | #### Steps 1. On a Windows-based computer to be joined to the cloud, open **Registry Editor**. 2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ` and locate the **FallbackToSyncJoin** DWORD, as shown in the following image. ![A screen capture of the Windows Registry Editor showing Fallback to Sync Join selected.](_images/p1_microsoft_hybrid_join_fallback_sync.png) * If the `CDJ` key doesn't exist in `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion`, create this new key by right-clicking in the `CurrentVersion` folder and clicking **New > Key**. * If the **FallbackToSyncJoin** DWORD doesn't exist in the `CDJ` key folder, create this new DWORD by right-clicking in the `CDJ` key folder and clicking **New > DWORD (32-bit) Value**. 3. To disable fallback sync: 1. Double-click the **FallbackToSyncJoin DWORD**. 2. Set **Value data** to `0`. 3. Click **OK**. When disabled, the device won't try fallback sync when `dsregcmd /join` fails. 4. To re-enable fallback sync: 1. Double click the **FallbackToSyncJoin DWORD**. 2. Set **Value data** to `1`. 3. Click **OK**. The device will try fallback sync when `dsregcmd /join` fails. You can find additional guidance on disabling the **Fallback to Sync-Join** setting in [Troubleshoot devices using the `dsregcmd` command](https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-device-dsregcmd#diagnostics-data) in the Entra documentation. ## Validation You're ready to run the `dsregcmd` command to start the hybrid join process for a device and verify it succeeded. You can find examples of successful and failed responses in [Reference and troubleshooting for Microsoft Entra hybrid join](p1_microsoft_hybrid_join_troubleshooting.html). 1. Sign on to a Windows-based computer. 2. Open PowerShell and select the **Run as Administrator** option. 3. In PowerShell, run `dsregcmd /status` to review the current state. ### Result: The following is returned: ``` PS C:\Windows\System32> dsregcmd /status +----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : NO EnterpriseJoined : NO DomainJoined : YES ``` `AzureAdJoined : NO` means the device isn't hybrid joined to Entra ID yet. If it's already joined, you can run `dsregcmd /leave` to remove the device from Entra ID, and you shouldn't see this device in **Devices > All devices** in the Entra admin center. 4. Run `dsregcmd /join /debug` to start the hybrid join process. ### Example: The following is an example response: ``` PS C:\Windows\System32> dsregcmd /join /debug DsrCLI: logging initialized. ... Join request ID: 7d05360e-378f-4e2e-81b1-0289d60b974b Join response time: Thu, 10 Jul 2025 17:22:14 GMT Join HTTP status: 200 DsrCmdJoinHelper::Join: AutoEnrollAsComputer completed successfully DSREGCMD_END_STATUS AzureAdJoined : YES EnterpriseJoined : NO DeviceId : 3f0817b9-ca17-4714-ab81-f7b5943dec7b ... TenantId : 07ec9af2-7ce5-4ab7-8638-115736bbf990 ``` `AzureAdJoined : YES` means the hybrid join attempt succeeded, and the device is now hybrid joined to Entra ID. You should now see the device in **Devices > All devices** in the Entra admin center. ### Troubleshooting: If `dsregcmd /join` fails to hybrid join the device and it isn't showing in the Entra admin center: * If you ran the `dsregcmd /leave` cmdlet to unjoin a device from Entra ID, it can take some time before you can join the device again. Try again in 5 - 15 minutes. * Run `dsregcmd /join /debug` again to get additional information for troubleshooting. You can find troubleshooting information in [Reference and troubleshooting for Microsoft Entra hybrid join](p1_microsoft_hybrid_join_troubleshooting.html). 5. Run `dsregcmd /status` again. ### Result: The following is returned: ``` PS C:\Windows\System32> dsregcmd /status ... +----------------------------------------------------------------------+ | SSO State | +----------------------------------------------------------------------+ AzureAdPrt : YES AzureAdPrtUpdateTime : 2025-07-10 15:46:21.000 UTC AzureAdPrtExpiryTime : 2025-07-24 15:46:20.000 UTC AzureAdPrtAuthority : https://login.microsoftonline.com/07ec9af2-7ce5-4ab7-8638-115736bbf990 EnterprisePrt : NO EnterprisePrtAuthority : ``` `AzureAdPrt : YES` means the device received a PRT from Entra ID for the signed-on user. 6. Verify an event displays in the PingOne audit log and the device you just joined displays in the population you created for hybrid joined devices: 1. In the PingOne admin console, go to **Monitoring > Audit** and review the newest events. You should see a **Kerberos Check Succeeded** event. ![A screen capture of a Kerberos Check Succeeded event type in PingOne.](_images/p1_entra_hybrid_join_audit.png) 2. Go to **Directory > Users**. 3. Click the **Filter** icon ([icon: filter, set=fa]) and select the checkbox for the population you created for hybrid joined devices. ### Result: The **Users** list displays user records in the hybrid joined population. You should see a record for the device you joined. The **Username** will match the **User Identity** in the audit log. ## Troubleshooting Refer to [Reference and troubleshooting for Microsoft Entra hybrid join](p1_microsoft_hybrid_join_troubleshooting.html) for help troubleshooting issues. ## What's next 1. Repeat the steps in [Validation](#p1-hybrid-join-validation) for each device you want to be hybrid joined to both AD and Entra ID. 2. Implement the hybrid join configuration in your PingOne production environment and roll it out in stages to your users: 1. Move early adopters to a separate OU and configure Entra Connect Sync to sync devices from the early adopters OU only by running `dsregcmd /join /debug` on those devices. This should prevent configuration issues from impacting all of your users. 2. If you don't experience issues with the early adopters OU, repeat step 2a with another set of users. 3. Gradually increase the set of users to cover all applicable users and devices.