How to Transition Laptops from AzureAD to Hybrid Domain Join?

It's definitely possible to authenticate Azure join devices back to domain resources with certificates if you set up a Public Key Infrastructure (PKI). Just know that it’s a bit of work to get that all set up.

What exactly isn’t working for you? Are you trying to access specific resources that need HAADJ? For us, using Cloud Kerberos was sufficient for all access to our on-prem resources without needing to fully domain join the devices.

It’s tricky because there’s no real way to convert Azure AD joined devices to hybrid without joining them to the domain, which breaks the Azure-only trust. Typically, what most organizations do is unjoin from Entra, join the on-prem domain, and then let the hybrid registration kick back in through GPO/AD Connect. While this can maintain user data, anticipate some profile issues and cleanup after the process. Before diving in, double-check what on-prem features are blocking you, as many requirements for hybrid setups could actually be resolved with Kerberos cloud trust or application changes. If you absolutely need to go through with the domain join, I recommend piloting a couple of devices first to see how it goes before rolling out the rest.

I feel like there might be a more straightforward solution to whatever you're facing that doesn't necessarily require domain-joined computers. Have you thought about alternatives?

Have you considered using Kerberos tokens with those Azure AD joined devices? Passing those tokens might give you single sign-on (SSO) access to quite a few on-prem resources without having to do a full hybrid join. Check out this documentation for more details! [Access Resources Documentation](https://docs.microsoft.com/en-us/microsoft-365/business/access-resources?view=o365-worldwide)