If a domain-joined device is out of contact with the domain for long enough that its machine account password expires, will it also lose domain-joined status in Azure AD?
We've recently had a significant number of people take their work-issued laptops home to start working remotely (for obvious reasons) - all these devices are Hybrid Domain Joined to Azure AD, synced via AAD Connect. We have conditional access policies configured in AAD to limit access to certain apps to domain-joined devices.
Most users are regularly connecting back into the domain via VPN, so they shouldn't have any problems. The thing we're not sure about though is: if a user doesn't connect their device to the VPN (or office LAN) for so long that their machine account password expires and the device loses its trust relationship with the domain, will AD recognise that and sync the change in device status up to AAD, resulting in the device no longer showing as domain-joined in AAD, causing the user to lose access to the apps that require a domain-joined device? Or will AD not notice any change in the state of the device until it re-establishes contact, so it will continue to be recognised as domain-joined in AAD until that happens?
I've done a bunch of reading and found lots of info about machine account passwords and AAD domain-joined devices, but little if anything on how the two influence each other...