Update how-to-hybrid-join.md #1789
Conversation
Identified an eror that is thrown to the user when teh enterprise Administrator is not a direct member of Enterprise Administrators groups in the on-premises AD. When trying the operation the customer gets the error "The user provided is not a member of the Enterprise Administrators group". Checking the Trace logs: ActiveDirectoryProvider.IsUserGroupMember: membership not found - user is NOT a member of the group [ERROR] DeviceHybridScpPage: User is not a member of the EnterpriseAdmins group: *******************
| @rodrigooliani : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
| Learn Build status updates of commit 3600c00: ✅ Validation status: passed
For more details, please refer to the build report. |
There was a problem hiding this comment.
Pull Request Overview
This PR adds a warning to the documentation about Enterprise Administrator membership requirements for hybrid join configuration. The update clarifies that the Enterprise Admin Account must be a direct member (not indirect) of the Enterprise Administrators group in on-premises Active Directory to avoid authentication errors.
- Added a warning block explaining Enterprise Administrator direct membership requirement
- Clarified the specific error message users encounter with indirect membership
- Provides context for troubleshooting authentication failures during hybrid join setup
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| 1. On the **Configuration complete** page, select **Exit**. | ||
| | ||
| > [!WARNING] | ||
| > The Enterprise Admin Account must be a direct member of the Enterprise Administrators in the on-premises Active Directory. Once the credential is provided, a process will begin to verify if the SID of the given user is a direct member of the Enterprise Administrators group. Indirect membership will trigger the error message: "The user provided is not a member of the Enterprise Administrators group." |
There was a problem hiding this comment.
Missing word 'group' after 'Enterprise Administrators' in the first sentence.
| > The Enterprise Admin Account must be a direct member of the Enterprise Administrators in the on-premises Active Directory. Once the credential is provided, a process will begin to verify if the SID of the given user is a direct member of the Enterprise Administrators group. Indirect membership will trigger the error message: "The user provided is not a member of the Enterprise Administrators group." | |
| > The Enterprise Admin Account must be a direct member of the Enterprise Administrators group in the on-premises Active Directory. Once the credential is provided, a process will begin to verify if the SID of the given user is a direct member of the Enterprise Administrators group. Indirect membership will trigger the error message: "The user provided is not a member of the Enterprise Administrators group." |
| Can you review the proposed changes? Important: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
3 participants
Identified an eror that is thrown to the user when teh enterprise Administrator is not a direct member of Enterprise Administrators groups in the on-premises AD.
When trying the operation the customer gets the error "The user provided is not a member of the Enterprise Administrators group".
Checking the Trace logs:
ActiveDirectoryProvider.IsUserGroupMember: membership not found - user is NOT a member of the group
[ERROR] DeviceHybridScpPage: User is not a member of the EnterpriseAdmins group: *******************