![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 28.999999999999996%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,380 questions
Ended up submitting a support request via the Azure portal for this one - response included below. In our case we're using PHS, so according to this we shouldn't have any problems.
Do you use PHS, PTA or ADFS?
The device status shown on Azure portal will not change if the password expires and it does not connect to DC. It will also show as hybrid joined. However, when device based CA policy is assessed, we check the device status with the information contained in the AAD PRT.
Think of this scenario – The password of an user account has expired and the device cannot connect to DC. No password expiry warning will be prompt out when user log onto the device with the old password. The user is not able to change the password because the connection is DC is unavailable. Thus, the user needs to use the old password to log onto the device (It is feasible because of the local cache). This user now wants to access certain apps with device based CA policy enabled.
- If you are using PHS for authentication, you will still be able to access those apps. As if we PHS, password hash is synced to AAD from AD. No password change happens in AD as well as in AAD. Authentication to AAD with old password will still success. The device can also get the AAD PRT. When assessing CA policy, it will still recognize the device as a hybrid join device.
- If you are using PTA for authentication and you have enabled Password write back, you are able to change the password on the cloud. You are able to access those apps. In this scenario, you need to logon the device with the old password and access the app using the new password which is annoying.
If you haven’t enabled password write back, you are not able to access the app. It will prompt out the following message “Your organization doesn't allow you to update your password on this site. Update it according to the method recommended by your organization, or ask your admin if you need help." After you update your password on the cloud, the new password will be written back to your AD”. - Also for ADFS, you are not able to access the app.
Actually we do not suggest to take hybrid joined devices out of the office but for obvious reasons we have to do this at this period of time.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 21%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 55.00000000000001%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)