Hybrid Azure AD joined device not passing conditional access

We recently took over a new client who was using an expensive 3rd party file sync for shared files and personal user files.  We want to migrate them to SharePoint / OneDrive (They already use O365 for Exchange/Office apps).   We would like to control access to SharePoint via Azure Conditional Access to grant access to only domain joined devices.  The on premises AD is domain1.local.  The Office 365 domain is domain2.com.   I do not care about having to manage 2 sets of user accounts and passwords.   Local AD is running on a Server 2012 R2 domain controller.

I configured Azure AD Connect on the local domain controller and synchronized with Azure.  I successfully joined a computer to the domain.  It then synced to Azure and is listed in devices as a Hybrid AD joined device.    However, when I try to access SharePoint online, I'm still getting denied access with the error that the device must be domain joined.  dsregcmd /status shows that the device is AzureADJoined.

Is it possible to have a hybrid domain with the local AD as domain1.local and domain2.com as the Azure domain?  We use sharepoint for a document library and have no issue requiring a separate sign in to access it either via a browser or the OneDrive for business app.  

If it is not possible to do this, what is the easiest way to change the local domain from domain1.local to domain2.com?  It would not be prohibitively awful to simply create a new local domain, but we'd like to avoid it if at all possible.

As I'm new to Azure, if you have any thoughts that I'm likely missing, please don't hesitate to chime in.

Patrick MeeksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
SPO has a functionality that restricts sync to specific domains only, no need for conditional access. Read here: https://technet.microsoft.com/en-us/library/dn917455.aspx
Patrick MeeksAuthor Commented:
We want to restrict web access as well as sync.  Is there a way to restrict web access with out conditional access in Azure?  The data in question contains sensitive information and would like to ensure that it's only accessed on known end points.

Vasil Michev (MVP)Commented:
You either need Conditional access or AD FS for that.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Patrick MeeksAuthor Commented:
Any idea why I will get access denied on a device that I can confirm is Hybrid AD Joined in Azure and reports is AzureADJoined with the correct tenant ID in dsregcmd /status?
Vasil Michev (MVP)Commented:
Not sure. I've only done hybrid in the federated scenario, not sure how it behaves without federation. Open a support case?
Have you followed all the steps recorded here?
How to configure hybrid Azure Active Directory joined devices
That document is hard to follow, poorly written, and it seems focused on AD FS federated scenarios. It doesn't highlight the need to verify that the device is replicated correctly using Azure AD Connect. I'm trying to follow all the steps myself. The question I'm wrestling with is whether I can use the Azure AD Connect server with AD DS tools to do the configuration. I don't want to do anything on a DC -- the article is not clear on that point. And what is the craziness about having to use a specific MSOnline PowerShell module version ??? --- can I just use a later version? I wish there was a clearer guidance focused on AD + AAD + Intune.
Anthony Murfet.
Found the following, which at first glance is more useful than the Microsoft guidance:
Azure AD Premium Conditional Access for Domain Joined Machines
Anthony Murfet.
Patrick MeeksAuthor Commented:
As always, the solution is I'm an idiot.  I didn't update the UPN suffix for the test user in question to be the alternate UPN suffix I created to match the Office 365 domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Patrick Meeks (https:#a42398601)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.