Hybrid Azure AD Joined Devices - User Logon Possibilities

Question

Hi,

quick question to HAADJ - we are setting up devices on-prem and having them synced to Azure AD via Azure AD Connect. During this process, the devices are Hybrid Azure AD Joined. All of our users are also synced from our on-prem AD to Azure AD. Password writeback is activated and we're using PWH + SSO.

Currently, we have users at home that can't come to the office to pick up devices, so we would like to set the devices up in the office and ship them to the users. During tests, we've noticed that users cannot logon on the devices at home. We were under the impression that Hybrid Azure AD Joined would suffice to let users logon to the system with their cloud synced accounts. But that doesn't seem to be the case.

What must we do in order to make this scenario possible?

Cheers

Answer 1

@Fred Eric S Thanks for reaching out. That is indeed a very common scenario in current situation.
Since the devices are hybrid Azure AD Joined, the machine would need to be direct line of sight or to be able to communicate to a DC to authenticate the user when the user tries to login. This would fail if there is no network connectivity to the corp network to locate a Domain controller.

You need something which can enable the end user to setup a VPN to your corp network even before they login.
You can consider following 2 scenarios/solution for your this solution :

1) Hybrid Azure AD join User Driven AutoPilot with support of VPN.
2) White Glove Hybrid Azure AD Autopilot (Which has 2 parts a. Technician b. user )

You will need to use intune to deploy a Device based VPN policy https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.