Dear All,
I have the following scenario:
- On-premises domain with ADConnect syncing users to Azure AD (SSO, Password Writeback and Password Hash Sync enabled)
- Azure Active Directory Domain Services enabled in Azure, using a complete different domain name as the On-Premises domain (hereby following the best practices)
- A Server 2022 VM in Azure that is joined to the AADDS domain serving several resources, for example file shares.
- Some Cloud only users (created in Azure AD, non existing in the On-Premises Domain).
- Some Hybrid users (created in On-Premises Domain and synced to Azure AD).
- Resetted the Password of both user types to make sure that the password hash is correctly synced to AADDS.
Now my goal is that when users log on to an Azure AD joined device (Win10 based, Intune Managed) are able the access resources on the Server 2022 machine without an extra credential prompt.
The thing is that my tests on this part show different results when it comes to the different user types.
For users that originate from the On-Premises AD SSO seems to work just fine and users are able to access shares on the Server 2022 server without extra prompts.
For users that are created in Azure AD (cloud only) this does not work, they are prompted for credentials when trying to access shares on the Server 2022 server.
When searching the internet I found several articles that SSO from AADDS joined devices to Azure AD based resources (like O365) is currently not supported and/or working.
I understand why this is the case, but my scenario is the other way around. I want Users on Modern, Intune Managed, Azure AD Joined endpoints to be able to SSO into some legacy resources that are still needed within the organization for the time being.
I cannot seem to find any Documentation on this matter and if this should or shouldn't work.
One would think that this is one of the main focus scenarios where AADDS show's its value.
Can someone shine some light on this one?
- Should SSO work in this scenario?
- If so what can I do to make it work or find more info regarding this?
- If not, why is it working for Users that originate from the On-Premises AD?
I do have contact with MS support regarding this but at the moment they state that SSO in my scenario is not working because it is also not working the other way around not being able to support this with references to Docs, witch feels that the matter is a bit oversimplified on their part.
thanks in advance for thinking with me on this one,
kind regards,
Martijn
The Netherlands.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 24%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 30%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)