Procedure to re-join devices
When you use a conditional access policy with "Require Microsoft Entra hybrid joined device", if the device is not configured properly or the PRT token was not refreshed successfully, you'll see the error "You can't get there from here".
I've asked MS support and tried to fix the root cause, but I gave up and realized re-joining the device is a quick fix... So this article shows how to re-join the device as hybrid domain-joined.
Ref: Troubleshoot Microsoft Entra hybrid joined devices
Table of Contents
Toggle1. Check device status
Run the command as the user. You may see the device status as FAILED. Or you may see AzureAdPrt : NO at the SSO State section.
dsregcmd /status
2. Delete device from Entra ID
Run the command as administrator. See the device deleted from Entra ID.
dsregcmd /leave /debug
3. Run join command
Run the command as administrator. Make sure the device can reach the domain controller.
dsregcmd /join
4. Run task to join device
Run the command as administrator. Make sure the device can reach the domain controller. Basically, this task runs at user logins.
schtasks /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"
5. Check device registered on Entra ID
Logs about the registration on Event Viewer are in Application and Service - Microsoft - Windows - User Device Registration - Admin.
We want to see this part say YES by the command.
dsregcmd /status