question

JoeRobinson-0435 avatar image
0 Votes"
JoeRobinson-0435 asked StevenDaSilva-8705 commented

Win 10, Domain Joined, Hybrid AD Join, Login without DC

Greetings: I have a scenario that I believe should be possible, but I was hoping if someone could confirm. Environment is an on-prem forest, thousands of machines. We have a footprint in azure with AD Connect synchronizing. Machines are Hybrid AD Joined.

 +----------------------------------------------------------------------+ 
 | Device State | 
 +----------------------------------------------------------------------+ 
 AzureAdJoined : YES 
 EnterpriseJoined : NO 
 DomainJoined : YES 
 DomainName : <netbios domain name> 
 Device Name : <machine.fqdn> 

I'm looking to find a way to get a user into a new device once they receive it. They will not have visibility to a domain controller, but they should have internet access with an azure ad account sync'd from AD Connect.

To be clear, I'm not looking to gain access to any specific resources on prem - I just need to get the user logged into the machine.

windows-active-directorywindows-10-securityazure-ad-connect
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joe

Did you ever reach a solution to this?

0 Votes 0 ·

I found that our VPN provider can establish a machine tunnel when no users are logged in. Upon enabling this, the machine connects back to our corporate network and gives the machine line of sight to a DC and the user can log in.

0 Votes 0 ·

Hi Joe

Thanks for the feedback

So you still had to manually deploy the VPN client (eg Global Protect) before you could do that or was it scripted as part of intune?

Just trying to see if if it was a 'zero touch' type of process

Thanks again for your feed back

0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@JoeRobinson-0435 Thanks for reaching out. if your machines are hybrid AAD join, the device must be line of sight of domain control in order to be able to login using on-prem account.

If you need to login with AAD account, the device needs to be AAD joined. For any on-prem synced account, the device still needs to be able to get to a DC.

You can use a VPN profile from a MDM like Intune to be able to allow the login.


If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You can use a VPN profile from a MDM like Intune to be able to allow the login.

That's really the problem I'm trying to solve. The user needs to log in to click that connect button on the VPN to establish connectivity, but they can't because they don't have line of site to the DC ( I mean, if they did, then I wouldn't need to worry about getting them logged in ).

It's just hard for me to believe that with all the pressure to move to the cloud, this scenario isn't something that is easy to overcome.

It sounds like the only real option here is to remove the machine from the domain, which is not a very good solution...

Thanks!







0 Votes 0 ·

@JoeRobinson-0435 I understand the exact scenario you are in. For this specific thing we now have the capability to use Hybrid AAD Autopilot where t VPN is pushed which connects to the corp network before the user needs to login to the machine, making it in line of DC for successful login.

This scenario will definitely help you if you can make sure that you meet the requirements. Have a look here :
https://docs.microsoft.com/en-us/mem/autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support

Let me know if you have any questions.

0 Votes 0 ·

@JoeRobinson-0435 I wanted to follow up and know if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·
Show more comments
TiagoQuadra-8005 avatar image
0 Votes"
TiagoQuadra-8005 answered StevenDaSilva-8705 commented

Hijacking someone else topic here.

I am facing the same challenge/requirement. I want my users to be able to log in to a remote device before the credentials are cached from the on-prem DC (that required VPN).

I did not try the autopilot yet, all devices were already provisioned and on-prem joined only, we are moving to the Hybrid Join setup.

So, the devices were joined to the on-prem domain using VPN. The device object is synced to Azure AD using Ad Connect Sync. The hybrid join is working and confirmed (as far as I can tell, from SSO, status on Azure AD, dsregcmd /status). Intune also working (enrollment using GPO).

I was able to log in as a new user (non-cached credentials) on some devices, but some didn't work. So far unable to understand what's the difference between both, but it looks to me the non-cached/unreachable on-prem login is possible for Hybrid Joined devices.

Just posting to FYI and maybe someone has suggestions as to troubleshooting what can be different in each device that causes the different behaviour.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

When you were able to log into some computers without the cached credentials, what exact username did you use? The full email address on the switch users screen (users@contoso.com) or the fqdn username (users@corp.constoso.com)?

I have seen some articles that state this is "possible" to do with hybrid/sso/Password hash but it is not working for me.

0 Votes 0 ·