Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advise on Hybrid AD join devices authentication flow when your DC is down.
Please do correct me for any discrepancies by responding in the comments.
Entra ID supports three types join states:
- Microsoft Entra joined devices
- Microsoft Entra hybrid joined devices
- Microsoft Entra registered devices
Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Microsoft Entra ID by implementing Microsoft Entra hybrid joined devices. These devices are joined to your on-premises Active Directory and registered with Microsoft Entra ID.
Microsoft Entra hybrid joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Microsoft Entra joining your devices.
Scenarios that break without line of sight to your domain controllers include:
- Device password change
- User password change (Cached credentials)
- TPM reset.
A managed environment can be deployed either through Password Hash Sync (PHS) or Pass Through Authentication (PTA) with Seamless Single Sign On.
These scenarios don't require you to configure a federation server for authentication.
If you have configured Pass Through Authentication (PTA) password validation request is sent to On-Prem AD for validation, so if your DC is not available then authentication to device would fail.
If you have configured Password Hash Sync (PHS) password validation request is sent to Entra ID for validation as Microsoft Entra Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance.
This would work even if your DC is not in line of sight of the device.
Federated environment
A federated environment should have an identity provider that supports the following requirements. If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.
- WIAORMULTIAUTHN claim: This claim is required to do Microsoft Entra hybrid join for Windows down-level devices.
- WS-Trust protocol: This protocol is required to authenticate Windows current Microsoft Entra hybrid joined devices with Microsoft Entra ID. When you're using AD FS, you need to enable the following WS-Trust endpoints:
/adfs/services/trust/2005/windowstransport
/adfs/services/trust/13/windowstransport
/adfs/services/trust/2005/usernamemixed
/adfs/services/trust/13/usernamemixed
/adfs/services/trust/2005/certificatemixed
/adfs/services/trust/13/certificatemixed
Again, if you DC is down and then ADFS won't be able to get the grant from DC and your authentication would fail.
- If user has signed onto the device before then his device would get a PRT as During Windows sign in, the Microsoft Entra CloudAP plugin requests a PRT from Microsoft Entra ID using the credentials provided by the user. It also caches the PRT to enable cached sign in when the user doesn't have access to an internet connection.
#Updated answer from OP
It doesn't work as fault tolerance due to technical limitations it has as listed below -
- It creates new forest with one way sync with Microsoft Entra ID
- It can only be used for authentication for azure based resources like VM
- It can not sync with on-prem AD
Please "Accept the answer", "Upvote" and rate your experience. This will help us and others in the community as well.
Thanks,
Akshay Kaushik