Can Cloud only account login Hybrid Azure AD Joined Machine

DINESH PANDEY 1 Reputation point
2022-06-07T03:42:55.05+00:00

We are planning to move on cloud completely or less dependency to the On-Prem Active Directory authentication. so seeking any possibilities against below points.

Can Cloud only account login Hybrid Azure AD Joined Machine?

Can we restrict Cloud only account to login any particular or couple of pc only?

In addition, Can we automate or manually delete (permanently) the the 0365 group permanently from Azure portal, so Is there any way (conditional policy/Rules/Option in Azure) to remove group permanently once group soft deleted with few exceptions like group must be 0365 and group name started with any specific word or suffix?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-06-14T19:55:26.367+00:00

    Hi @DINESH PANDEY ,

    Thanks for your post and apologies for the delayed response!

    Can a cloud-only account log in to a Hybrid Azure AD Joined Machine?

    Short answer: No.

    Longer answer: If the machine is Hybrid Azure AD joined, a cloud-only user will not be able to join. When logging into a Hybrid Azure AD joined machine, the user should exist both on-premises and in the cloud. The user first has to get authenticated by the on-prem Domain Controller before Azure AD checks the credentials.

    Users can, however, log in to Windows with their Office 365 credentials if their accounts are hybrid Azure AD joined. The user needs to have a local account to log in to the machine. One option would be to create an Active Directory account for them and soft-match it against the Azure AD user object.

    Can we automate or manually delete (permanently) the the 0365 group permanently from Azure portal?

    To permanently delete the soft-deleted groups, you can query Get-AzureADMSDeletedGroup

    The you can copy the ID of Group and run the following command to delete it:

    Remove-AzureADMSDeletedDirectoryObject –Id xxxx-xxx-xx  
    

    There isn't a pre-existing script that does this, but you could probably select groups by -DisplayNameStartsWith and create a custom query. https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadgroup?view=azps-8.0.0

    Additional resources:

    Cloud-only account on hybrid joined device?

    https://learn.microsoft.com/en-us/azure/active-directory/devices/azureadjoin-plan

    https://learn.microsoft.com/en-us/windows-365/enterprise/identity-authentication

    -

    If the answer provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    3 people found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.