This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 94%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
So we are currently set up in a hybrid AAD join enviroment. And we have recently got InTune as well. We are talking about going full Azure AD join in the coming few months, but for the mean time, I do know that you can enable pass through authentication to send the users password out from the on-prem DC to their device and enable them to be prompted to change their password with o365/Azure, but the domain creds on the device that are cached, aren't able to be changed so they will still have to use their new password with any o365 apps, azure apps, etc... but still have to use their old password that is cached on their machine to login to their laptop daily. I want to fix that, preferrably without using a DirectConnect or VPN, until we go full Azure AD Join cause I know it's possible that way since there won't be an on-prem DC anymore.
Can anyone suggest any kind of insights or ideas on how to get that to work successfully without a DirectConnect or VPN? Azure enviroment is fairly new to me and I am still learning it. Any help is appreciated.
This is a fundamental design limitation of Windows and on-prem domain join. Line of sight to a domain controller is 100% required for inital logins and password changes. Anything else is not possible.
That was kind of my assumption but still figured I would post, just in case.
Thank you Jason I appreciate the response. Looks like we might go full Azure join sooner than later to help alleviate this.