If you have ever configured Hybrid Entra Join in a production environment, you know the process has never been particularly elegant. It works, but it comes with a set of dependencies that have caused problems in more than one deployment. Microsoft has now introduced a preview that removes one of the most significant of those dependencies: Active Directory Federation Services (ADFS)
The Traditional Hybrid Join Process
During a standard Hybrid Join when a device joins the local Active Directory domain, it does not immediately appear in Entra ID. The device generates a self-signed certificate and writes it to its own userCertificate attribute in local AD.
This acts as a signal to Entra Connect that the object is ready to synchronise. From that point, you have to wait for the next sync cycle before the device is registered in the Cloud and can receive Entra-based policies.
In environments using ADFS, the federation layer was used to accelerate and authenticate the device registration process. The WS-Trust endpoints adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport needed to be enabled and carefully scoped to intranet-only.
Any misconfiguration there, and device registration could silently fail or behave inconsistently.
For organisations without ADFS (using Password Hash Sync instead) the process relied entirely on the sync-and-match architecture, with all the timing issues that come with it.
One area where this was particularly noticeable was Autopilot Hybrid Join. During deployment, the device had to wait for Entra Connect to complete a sync cycle before the user could sign in and receive cloud-based policies. In practice, that often meant a provisioning process that was slow and dependent on domain controllers.
What Microsoft Has Now Introduced
Microsoft has added a new preview option: Hybrid Join using Entra Kerberos. https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join-using-microsoft-entra-kerberos
This approach removes the dependency on both ADFS and Entra Connect sync for device registration. Instead of waiting for a background sync to complete, device registration happens through Entra Kerberos directly. The result is that the device reaches the Entra Hybrid Join state immediately, without the sync cycle delay. For the first time, Hybrid Join becomes a synchronous event.
According to the Microsoft documentation published in February 2026, the preview covers the following use cases:
- Non-persistent Virtual Desktop Infrastructure (VDI) in a managed environment
- Hybrid Join for customers using or migrating to Entra Cloud Sync
- Improved provisioning for Azure Virtual Desktop and Windows 365 hybrid deployments
That third point is significant. Windows 365 and Azure Virtual Desktop environments are exactly the scenarios where the traditional sync-based approach was most problematic. Provisioning a new VDI session and then waiting 30 minutes for Entra Connect before the device is usable is not a good operational model.
Important Notes
There are a few things worth being clear about before testing this in a customer environment.
- It requires Windows Server 2025 on at least one Domain Controller. This is the most important prerequisite. Specifically, the DC must be running build 26100.6905 or later. During the join process, the client device needs direct line-of-sight to this DC to obtain the necessary Kerberos tickets. If no DC in your environment meets that requirement, this preview is not available to you yet.
- It requires Windows 11 on the client. The feature is not backported to Windows 10. Client devices must be running Windows 11 build 26100.6584 or later.
It is still a preview. The documentation was last updated on 24 February 2026. Microsoft previews in the identity space can sit in preview for extended periods, and behaviour can change between now and GA. - It does not replace Entra Connect. User object synchronisation still requires Entra Connect or Cloud Sync. What is removed here is the dependency on those tools specifically for the device registration step. That is a meaningful distinction.
- Entra Kerberos needs to be configured in the tenant. This is not a zero-configuration change. There are prerequisites, and if you are already using Entra Kerberos for passwordless sign-in, you may already be partway there.
- The Trusted Domain Object must be initialised in your AD forest before any of this works.
Traditional vs. Entra Kerberos Hybrid Join
| Auth Dependency | ADFS or Password Hash Sync | Entra Kerberos Trust |
| Registration Time | Up to 30+ minutes | Immediate |
| DC Requirement | Any supported Windows Server | Windows Server 2025 (build 26100.6905+) |
| Client OS | Windows 10 / 11 | Windows 11 (build 26100.6584+) |
| Primary Use Case | Legacy fleet | VDI, AVD, Windows 365 |
Why This Matters in Practice
Most organisations still running Hybrid Join because they have legacy applications that depend on Active Directory machine authentication, or because a full migration to Entra Join would require more time and budget than is currently available. Hybrid is often a transitional state.
The problem is that the infrastructure required to make Hybrid Join work has historically been heavier than it should be. ADFS, in particular, is a component that many organisations would prefer to decommission. It introduces its own maintenance overhead, its own certificate lifecycle, and its own failure modes. Every time a customer raises ADFS in a conversation, the first question is usually how to get rid of it.
Removing ADFS from the device registration path is a step in the right direction. Combined with the elimination of the 30-minute sync window, the architecture becomes considerably cleaner than anything Hybrid Join has offered before.
That said, the Windows Server 2025 DC requirement could be a constraint. Plenty of environments running Hybrid Join today have not yet reached that point in their infrastructure refresh cycle.
Conclusion
The Hybrid Join without ADFS preview is worth testing, particularly if you are running Autopilot Hybrid Join, provisioning non-persistent VDI, or working with Azure Virtual Desktop or Windows 365 hybrid configurations.
The prerequisites ( Windows Server 2025 DCs and Windows 11 clients) are not trivial, but the direction is clear. For organisations looking to simplify their hybrid identity infrastructure without committing to a full Entra Join migration, this is something to keep a close eye on.
