How to provision a domain-joined laptop for a remote user?

Question

We have a Hybrid AD setup at the office (local AD + AAD with sync). All computers are "hybrid joined" and register themselves with AAD. User accounts are also synced with AAD.

We have a new employee who's going to work for us from abroad and we'd like to ship them a laptop. AFAIK a new Windows user needs to have SOME connection to the local AD in order to actually log in for the first time, so I'm wondering how to provision the laptop for this new employee.

I feel like I'm faced with a "catch-22" since I need the user to log in, so they can fire a VPN (which is also provisioned) so they can connect to the AD, so they can log in...

What's the "correct" way to handle this sort of scenario? I mean, I can sort-of "hack it" - ex. have the worker create a VPN from their private machine and remotely connect to the laptop via RDP while the laptop is physically connected to our internal network, thus provisioning the the user for this employee. But this feels like a workaround, rather than a genuine solution.

Answer 1

Hello @MBender , Hybrid Azure AD joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Azure AD joining your devices. If it's not, then you should be able to sign-in using a VPN.

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.