This came up today as we had some users off site and one was trying to use another's laptop. She would get an error about not being able to reach a domain controller for authentication, and she had no cached credentials which is what I would expect for an on prem joined only machine. These laptops are Hybrid Azure AD joined though and I thought it would authenticate to AAD if the on site AD couldn't be reached. I also had her try to login using azuread\upn@keyman .com and it did not work either. Is there something I'm missing here in my setup, or does it just not work the way I think?
- All machines Hybrid Azure AD joined.
- Azure AD Connect installed on primary DC
- Sync status enabled
- Last sync less than an hour ago
- Password hash sync enabled
- Federation - Disabled
- Seamless single sign-on - enabled
- Pass-though auth - disabled
- Cert-based auth - disabled
- Email as alternate login ID - enabled
- Password writeback from AAD - enabled
I can confirm that accounts and passwords do stay in sync from our on prem AD to AAD. Users can login into O365 and other Microsoft services fine with their standard username/password. It just doesn't seem to let them log into the laptops themselves. I'm sure there is something I've messed up or am missing here, can anyone point me in the right direction?