AAD joined machine , access on-premises resources

Question

AAD joined machine , access on-premises resources

Shakkeer Chalakkandi 1

I have a hybrid setup where the Domain Controller (DC) and Exchange are on-premises, but I also utilize some services in Azure and Office 365, such as MFA, Teams, and SharePoint Online. Recently, I had a user join from another country, and I asked him to join Azure Active Directory (AAD) so that he could log in with his email address and password. However, when he came to the office, he couldn't access our file server and other internal applications using those credentials. Instead, I had to rejoin his device to the internal domain. Is there a solution to overcome this issue?

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2024-04-02T08:23:43.0966667+00:00

@Shakkeer Chalakkandi

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

1 answer

Your answer

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2024-04-02T08:23:43.0966667+00:00

@Shakkeer Chalakkandi

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Answer 1

In general, this actually should work - as per https://learn.microsoft.com/en-us/entra/identity/devices/device-sso-to-on-premises-resources

However, review the following section of the aforementioned document:

What you should know

You may have to adjust your domain-based filtering in Microsoft Entra Connect to ensure that the data about the required domains is synchronized if you have multiple domains.
Apps and resources that depend on Active Directory machine authentication don't work because Microsoft Entra joined devices don't have a computer object in AD DS.
You can't share files with other users on a Microsoft Entra joined device.
Applications running on your Microsoft Entra joined device may authenticate users. They must use the implicit UPN or the NT4 type syntax with the domain FQDN name as the domain part, for example: ******@contoso.corp.com or contoso.corp.com\user. If applications use the NETBIOS or legacy name like contoso\user, the errors the application gets would be either, NT error STATUS_BAD_VALIDATION_CLASS - 0xc00000a7, or Windows error ERROR_BAD_VALIDATION_CLASS - 1348 “The validation information class requested was invalid.” This error happens even if you can resolve the legacy domain name.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

AAD joined machine , access on-premises resources

1 answer

Your answer