This is a fundamental design limitation of Windows and on-prem domain join. Line of sight to a domain controller is 100% required for inital logins and password changes. Anything else is not possible.
Update cahced domain creds on device with AAD/InTune/AADConnect
So we are currently set up in a hybrid AAD join enviroment. And we have recently got InTune as well. We are talking about going full Azure AD join in the coming few months, but for the mean time, I do know that you can enable pass through authentication to send the users password out from the on-prem DC to their device and enable them to be prompted to change their password with o365/Azure, but the domain creds on the device that are cached, aren't able to be changed so they will still have to use their new password with any o365 apps, azure apps, etc... but still have to use their old password that is cached on their machine to login to their laptop daily. I want to fix that, preferrably without using a DirectConnect or VPN, until we go full Azure AD Join cause I know it's possible that way since there won't be an on-prem DC anymore.
Can anyone suggest any kind of insights or ideas on how to get that to work successfully without a DirectConnect or VPN? Azure enviroment is fairly new to me and I am still learning it. Any help is appreciated.
-
Jason Sandys 31,171 Reputation points Microsoft Employee
2020-09-18T16:39:35.54+00:00