Machines usually need a GPO to join them to Intune and Line of Sight access to the Domain Controller to join to Azure AD. You can actually build and deploy a Package  to help with this for computers that don’t access the Domain but still need to by Hybrid Joined

reate a provisioning package, using Windows Configuration Designer (which you can download from the Microsoft Store app):

Once that’s downloaded, we’ll create a new project:

The most important step will be going to Account Management, selecting Enroll in Azure AD, and getting a Bulk Token:

Once you have a bulk token, select Finish and then click Switch to advanced editor in the bottom left. We need to switch to the advanced editor to remove any extra settings other than the bulk token.

Here I’ll delete the DNSComputerName:

And then the HideOobe setting:

Once we only see Authority and BPRT under Azure, we’re ready to export the package:

Then we just need to copy the RunTime Provisioning Package (.ppkg) file in the exported directory to our device:

Once the PPKG is on the device, double click it to kick off the process:

Unfortunately PPKGs don’t really report any progress, but you can check under Settings > Accounts > Access work or school > Add or remove a provisioning package to see if it applied: