question

DannyArroyo-3073 avatar image
0 Votes"
DannyArroyo-3073 asked DannyArroyo-3073 commented

AAD Join vs Hybrid AAD Join with on Prem AD Joined Devices.

Hello.

As with many other institutions, we are planning to join our Windows 10 desktops to Azure AD and autoenroll into MS Intune. We have an on Prem AD and would like to Hybrid Join our Workstations. We have a VPN setup for remote access to the office.

The only machines currently joined to AAD are the test devices I have been using so we would like to make the correct decision before joining any more devices. I have tested joining via "Accounts/Access Work or School" but I prefer the on Prem GPO method (with a group of machines in "Security Filtering") because there is less user interaction. We have Azure AD Sync running on our DC that is syncing all our users and groups (and only a test OU of devices). We also setup a user group that is associated to the "Device Restrictions Policy" and our "Compliance Policy" in MS Intune.

We have three types of machines as shown below:
1. Office Desktops that have been moved to employee's homes. These machines are joined to on Prem AD
2. Office Laptops that are being used in employee's homes. These machines are joined to on Prem AD and may also be AAD Registered because the user logged into OFfice365.
3. Brand new laptops that are sent directly to employee's homes. These laptops are being manually joined to on Prem AD. They may also be AAD Registered because the user has logged into OFfice365 or entered their work email during the initial setup of Windows.


Questions/Concerns:

  1. I am trying to setup an environment where users will never have a problem logging into their Hybrid AD Joined Device. As I understand it, when a device is Hybrid AAD Joined, the user must login with their on Prem AD account credentials (as opposed to their AAD User account). This is fine for a user who logs onto a device for the first time with Always on VPN enabled and for a user that has their on Prem AD Account password cached. But as an example, lets say a user's on prem AD account password has expired (and their on prem AD account password is cached locally). A user may feel like "Well I can still login, so I'm not going to change my password".

Over a month passes by where the user was out of the virtual office without using their work device. They come back to the virtual office and as luck would have it, we are having a serious problem with our VPN. At this point the cached password has expired (in addition to the on Prem AD account password) and the user does not have a VPN connection to reach the DC, so login is denied. The only option would be having the user login with a local account. However, we want to try to avoid this type of call (if possible).

Rare case, but sometimes things happen (Murphy's Law). If we go with Hybrid AD Join , what are the chances of a user being in a situation where they cant login to their device?


Other Questions/Concerns:

  1. We have been manually installing our VPN client on our laptops and some desktops (the desktops that were sent to user's homes). I plan to enable the policy for Always On VPN in MS Intune. Will there be any issues if the vpn client is already installed on a specific device when MS Intune goes to push the VPN Client?

  2. Lets say that we join our on prem Domain Joined Windows 10 devices as AAD Joined instead of Hybrid AAD Joined. In that case a user can login with their AAD user account, correct? (as long as the AAD user object exists and the user account is in the provisioned AD Group, of course)

  3. Is it safe to assume that the user can also login to the same (on Prem Domain Joined) device with their on prem AD account credentials?

  4. If #3 and #4 are true, then will the user have 2 User profiles on the machine, accordingly?

  5. I believe that performing an AAD join requires the user to goto "Accounts/Work or School" and clicking the "+" sign to perform the AAD Join. It also means that we cant use on Prem GPO's to manage our device settings. Are there any other issues that we will experience when we perform an AAD Join on an on Prem Domain Joined AD? Do we have to remove the device from the on Prem Domain before we AAD Join? Or remove all the on Prem GPO settings before we AAD Join?


Any advice is appreciated.

mem-intune-generalazure-ad-device-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars avatar image
0 Votes"
sikumars answered DannyArroyo-3073 commented

Hello @DannyArroyo-3073,

Thanks for reaching out and apologize for delayed response.

Please find my inline answers below:

Questions/Concerns:
1. I am trying to setup an environment where users will never have a problem logging into their Hybrid AD Joined Device. As I understand it, when a device is Hybrid AAD Joined, the user must login with their on Prem AD account credentials (as opposed to their AAD User account). This is fine for a user who logs onto a device for the first time with Always on VPN enabled and for a user that has their on Prem AD Account password cached. But as an example, lets say a user's on prem AD account password has expired (and their on prem AD account password is cached locally). A user may feel like "Well I can still login, so I'm not going to change my password".
Over a month passes by where the user was out of the virtual office without using their work device. They come back to the virtual office and as luck would have it, we are having a serious problem with our VPN. At this point the cached password has expired (in addition to the on Prem AD account password) and the user does not have a VPN connection to reach the DC, so login is denied. The only option would be having the user login with a local account. However, we want to try to avoid this type of call (if possible).
Rare case, but sometimes things happen (Murphy's Law). If we go with Hybrid AD Join , what are the chances of a user being in a situation where they cant login to their device?

[Ans]: In any case cached password in the computer is updated only when computer connects to DC.

Do you use PHS, PTA or ADFS?

Think of this scenario – The password of an user account has expired and the device cannot connect to DC. No password expiry warning will be prompt out when user log onto the device with the old password. The user is not able to change the password because the connection is DC is unavailable. Thus, the user needs to use the old password to log onto the device (It is feasible because of the local cache). This user now wants to access certain apps with device based CA policy enabled.

  1. If you are using PHS for authentication, you will still be able to access those apps. As if we PHS, password hash is synced to AAD from AD. No password change happens in AD as well as in AAD. Authentication to AAD with old password will still success. The device can also get the AAD PRT. When assessing CA policy, it will still recognize the device as a hybrid join device.


  2. If you are using PTA for authentication and you have enabled Password write back, you are able to change the password on the cloud. You are able to access those apps. In this scenario, you need to logon the device with the old password and access the app using the new password which is annoying.
    If you haven’t enabled password write back, you are not able to access the app. It will prompt out the following message “Your organization doesn't allow you to update your password on this site. Update it according to the method recommended by your organization, or ask your admin if you need help." After you update your password on the cloud, the new password will be written back to your AD”.

  3. Also for ADFS, you are not able to access the app.

/

Other Questions/Concerns:

We have been manually installing our VPN client on our laptops and some desktops (the desktops that were sent to user's homes). I plan to enable the policy for Always On VPN in MS Intune. Will there be any issues if the vpn client is already installed on a specific device when MS Intune goes to push the VPN Client?

[Ans]: There shouldn’t be any issue.

let say that we join our on prem Domain Joined Windows 10 devices as AAD Joined instead of Hybrid AAD Joined. In that case a user can login with their AAD user account, correct? (as long as the AAD user object exists and the user account is in the provisioned AD Group, of course)

[Ans]: Yes, you are right user can login with their AAD user account. To learn, read “Plan your Azure AD join implementation.

Is it safe to assume that the user can also login to the same (on Prem Domain Joined) device with their on prem AD account credentials?

If #3 and #4 are true, then will the user have 2 User profiles on the machine, accordingly?

[Ans]: Yes, users would have 2 different profiles on the machine.

I believe that performing an AAD join requires the user to goto "Accounts/Work or School" and clicking the "+" sign to perform the AAD Join. It also means that we cant use on Prem GPO's to manage our device settings. Are there any other issues that we will experience when we perform an AAD Join on an on Prem Domain Joined AD? Do we have to remove the device from the on Prem Domain before we AAD Join? Or remove all the on Prem GPO settings before we AAD Join?

[Ans]: Yes, “DomainJoined” and “AzureAdJoined” coexist on same Win10 device is not supported, You need disjoin current domain join, in order to joining the computer to AAD.

Azure AD Join can be deployed by using any of the following methods:
Windows Autopilot
Bulk deployment
Self-service experience


Hope this helps. Thanks.



Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@sikumars-msft Thanks you for all the information.

We use PHS so your scenerio #1 is where we are. One difference is that we do not allow our users to change their passwords via ADFS. Our IDM handles all password changes via a User Self Service Web Portal. So the notifications concerning Password expiration is sent to the users via our IDM rather than from ADFS. It seems that our users will have to use their old password to authenticate to their device, but the new password to authenticate to any cloud based services. Unless you see a way around this we may have to live with this for those rare occurrences. For example where users either dont login to VPN for long periods of time or we have technical issues with our VPN and/or on Prem ISP.

  1. Do cached password expire based on time (ie. 30 days, 60 days, etc)?

  2. Or is it true that cached password never expires. However, you have a limit on the number of unique user passwords that can be cached on a device.


0 Votes 0 ·