This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 76%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
This came up today as we had some users off site and one was trying to use another's laptop. She would get an error about not being able to reach a domain controller for authentication, and she had no cached credentials which is what I would expect for an on prem joined only machine. These laptops are Hybrid Azure AD joined though and I thought it would authenticate to AAD if the on site AD couldn't be reached. I also had her try to login using azuread\upn@keyman .com and it did not work either. Is there something I'm missing here in my setup, or does it just not work the way I think?
I can confirm that accounts and passwords do stay in sync from our on prem AD to AAD. Users can login into O365 and other Microsoft services fine with their standard username/password. It just doesn't seem to let them log into the laptops themselves. I'm sure there is something I've messed up or am missing here, can anyone point me in the right direction?
Hi @Daniel Casbergue ,
For Hybrid deployment and Azure AD Joined devices there should a line of sight for a DC and this is documented
Hope this helps.
==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
@JimmySalian-2011 , I knew I was missing something, looks like I'd have to go full azure joined which is an issue for me with GPOs. I've still got maybe 30-40% of policy on prem as opposed to Intune, and a couple of things I just can't move over. Knowing the root of the issue I found some more detailed explanations & discussions relating to pretty much exactly the thing we're talking about here. Thanks for pointing me in the right direction.
No problem @Daniel Casbergue and you are welcome, yes agree basically the scenario you are looking for is full Azure AD Joined and you can still maintain GPOs via Intune. Sure I can understand complex situations and some legacy apps are always there, anyways plan your migration and roadmap when you are ready.