question

parisv-6163 avatar image
0 Votes"
parisv-6163 asked Jason-MSFT commented

hybrid join but can users sign in to laptop with AzureAD credentials?

We want to role out new laptops to users using pre provisioning (formerly white glove). And have them joined to our internal domain as well as azure.

The problem is when the user would first get their laptop I can't see how they can sign in as it doesn't have their profile cached.

I've created a windows enrolment profile which is set to join azure ad as hybrid joined

I've created a a domain join profile as documented here: https://docs.microsoft.com/en-us/mem/intune/configuration/domain-join-configure

I've tested a new install of windows and signed in with my azure details which sets the laptop up fine and adds it to our internal active directory then reboots and asks for my domain\ login.

Since it's not on the vpn and only connected to the internet I can't login with that.

What are my options? How can I sign in with my azure ad credentials. Would I have to use AzureAd instead of Hybrid?

If that happens what would happen for the users when they return to the office for example if they wanted to print or access a file share or run an internal app that authenticates to ad.


mem-intune-enrollmentmem-autopilot
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT commented

How can I sign in with my azure ad credentials.

The systems must be fully Azure AD domain joined for a user to user their AAD account directly.

If that happens what would happen for the users when they return to the office for example if they wanted to print or access a file share or run an internal app that authenticates to ad.

In nearly all cases, it just works. See https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso.

As a note, none of this has anything to do with Autopilot.



· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JacquesBensimon-8069 avatar image JacquesBensimon-8069 ·

By "fully Azure AD domain joined", do you mean "only Azure AD joined and not Hybrid-joined"? Once a machine is hybrid-joined, it seems AD and AAD user credentials become synonymous with each other and logon using either one requires network or VPN access to a domain controller (at least on the first occasion in order to cache the AD credentials, policies, etc.)

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT JacquesBensimon-8069 ·

Once a machine is hybrid-joined, it seems AD and AAD user credentials become synonymous

This is not correct. HAADJ endpoints are only "joined" top the on-prem AD domain and thus on-prem AD user credentials must be used. AAD Connect will sync your on-prem AD accounts to Azure AD so it may seem like you are using an AAD account to login but you aren't and cannot. Thus, nothing changes about the login requirements for an HAADJ endpoint from a classic on-prem ADJ endpoint.

0 Votes 0 ·
TimmyAndersson avatar image
0 Votes"
TimmyAndersson answered

Another way might be to use the fairly new feature in Autopilot "User driven hybrid azure ad join over VPN"


https://docs.microsoft.com/en-us/mem/autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support

https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/

I'm not sure if that works together with white glove tho, I haven't tested it.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

parisv-6163 avatar image
0 Votes"
parisv-6163 answered

I think ultimately we want to move away from a local domain so would prefer users to authenticate with their azure ad credentials but am left wondering how things would work once in the office.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

parisv-6163 avatar image
0 Votes"
parisv-6163 answered

Thanks for the link I have modified the title.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.