Users can't authenticate on laptops via azure AD

Daniel Casbergue 21 Reputation points
2022-10-05T20:03:02.3+00:00

This came up today as we had some users off site and one was trying to use another's laptop. She would get an error about not being able to reach a domain controller for authentication, and she had no cached credentials which is what I would expect for an on prem joined only machine. These laptops are Hybrid Azure AD joined though and I thought it would authenticate to AAD if the on site AD couldn't be reached. I also had her try to login using azuread\upn@keyman .com and it did not work either. Is there something I'm missing here in my setup, or does it just not work the way I think?

  • All machines Hybrid Azure AD joined.
  • Azure AD Connect installed on primary DC
  • Sync status enabled
  • Last sync less than an hour ago
  • Password hash sync enabled
  • Federation - Disabled
  • Seamless single sign-on - enabled
  • Pass-though auth - disabled
  • Cert-based auth - disabled
  • Email as alternate login ID - enabled
  • Password writeback from AAD - enabled

I can confirm that accounts and passwords do stay in sync from our on prem AD to AAD. Users can login into O365 and other Microsoft services fine with their standard username/password. It just doesn't seem to let them log into the laptops themselves. I'm sure there is something I've messed up or am missing here, can anyone point me in the right direction?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,808 questions
0 comments No comments
{count} votes

1 additional answer

Sort by: Most helpful
  1. Daniel Casbergue 21 Reputation points
    2022-10-05T20:20:02.403+00:00

    @JimmySalian-2011 , I knew I was missing something, looks like I'd have to go full azure joined which is an issue for me with GPOs. I've still got maybe 30-40% of policy on prem as opposed to Intune, and a couple of things I just can't move over. Knowing the root of the issue I found some more detailed explanations & discussions relating to pretty much exactly the thing we're talking about here. Thanks for pointing me in the right direction.