How do I join my Windows 10 devices as "Azure AD Joined" and the proper way for Users to login to these devices.

Question

Hello, As with many other institutions, we are planning to join our Windows 10 desktops to Azure AD and autoenroll into MS Intune. We have an on Prem AD and would like to Hybrid Join our Workstations. We have a VPN setup for remote access to the office. The only machines currently joined to AAD are the test devices I have been using. I have tested joining via "Accounts/Access Work or School" but I prefer the on Prem GPO method (with a group of machines in "Security Filtering") because its less user interaction. We have Azure AD Sync running on our DC. We also setup a user group that is associated to the "Device Restrictions Policy" and our "Compliance Policy" in MS Intune.

We have three types of machines as shown below:

1. Office Desktops that have been moved to employee's homes. These machines are joined to on Prem AD
2. Office Laptops that are being used in employee's homes. These machines are joined to on Prem AD and may also be AAD Registered because the user logged into OFfice365.
3. Brand new laptops that are sent directly to employee's homes. These laptops are being joined to on Prem AD. They may also be AAD Registered because the user logged into OFfice365 or entered thier work email during the initial setup of Windows.

My questions are:

1. Will Hybrid AAD Join work well for all three categories of machines listed above?
2. Once a machine is Hybrid Joined, will the user be able to login with their on Prem AD credentials (username@onprem.contoso.com)? For ex. If we enable always on VPN and the user logs in using on Prem AD credentials. Also will the user have the option to login with thier AAD credentials (username@Company portal .com)? For ex. If a user tries to login while wifi is connected but the VPN is not connected.
3. Lets say an on Prem domain joined laptop/desktop is sent to a user's home. This user has never logged into this device but the device is Hybrid joined (Via the on Prem GPO settings). Will the user be able to login with AAD credentials being that there are no on prem cached credentials and VPN is not enabled?
4. Also will the local user profile be different for the AAD login vs on Prem AD login?
5. We use Google Apps and allow our users to enable email alias'. The email alias is stored in the on Prem "mail" attribute. A custom on Prem AD attribute is populated with the SAMAccountName@Company portal .com by our Identity System (in order to have a record of the default email address). Of course, the userPricipalName contains the SAMAccountName@onprem.contoso.com. It seems that this may cause some issues because some users are entering thier default email address and others enter thier alias. Can AAD accept both mail attributes and associate them to the same AAD user? Any advice is appreciated.
6. We want to use MS Intune to enable Always on VPN. Any advice is appreciated.
7. I have been reading that AD credentials are cached for 30 days but can be adjusted. Should we be adjusting this value in the scenario I am describing?

Any advice is appreciated.

Answer 1

@Danny Arroyo Thanks for reaching out, I will try to answer them according to your points.

1) Your first and second machine scenario will work provided they are under the login cached timeline (You can consider increasing it if you do not have any VPN being deployed,) third device scenario where the device has not being logged on with user and with no VPN, this would be a problem as for auth the device needs to be a LOC with the DC. Obviously this would be fixed when you start using this.

2) If the device is Hybrid AD Joined, the cred used will be Always On prem.

3) No, Hybrid Device needs to Auth the user against DC first.

4) There will be on prem user profile.

5) You need to choose one which is constant and use that instead. You can look into alternate login ID feature for reference.

6) Enable Auto enrollment to Intune, so that the device which gets to AAD via AAD joined or Hybrid AAD joined, gets auto enrolled to Intune. You can then use a dynamic device group to push out that Always on policy. Check this reference article for creating A VPN profile for hybrid

7) Only if you think the user is going to be that delayed in logging in the second time. No issues if you plan for VPN for hybrid as then this would work even in password change scenarios.

Let me know if you have some other questions.

---

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

Answer 2

@VipulSparsh-MSFT

I also don't want a user calling to report that they cant login to their device. For example, lets say a user's on prem account password has expired (and their on prem AD password is cached locally). A user may feel like "Well I can still login, so I'm not going to change my password".

Over a month passes by where the user was out of the virtual office without using their work device. They come back to the virtual office and as luck would have it, we are having a serious problem with our VPN. At this point the cached password has expired (in addition to the on Prem account password) and the user does not have a VPN connection to reach the DC, so login is denied. The only option would be having the user login with a local account, but we want to try to avoid the call (if possible).

Rare case, but sometimes things happen (Murphy's Law). If we go with Hybrid AD Join , what are the chances of a user being in a situation where they cant login to their device?