hybrid join but can users sign in to laptop with AzureAD credentials?

Question

hybrid join but can users sign in to laptop with AzureAD credentials?

parisv 21

We want to role out new laptops to users using pre provisioning (formerly white glove). And have them joined to our internal domain as well as azure.

The problem is when the user would first get their laptop I can't see how they can sign in as it doesn't have their profile cached.

I've created a windows enrolment profile which is set to join azure ad as hybrid joined

I've created a a domain join profile as documented here: https://learn.microsoft.com/en-us/mem/intune/configuration/domain-join-configure

I've tested a new install of windows and signed in with my azure details which sets the laptop up fine and adds it to our internal active directory then reboots and asks for my domain\ login.

Since it's not on the vpn and only connected to the internet I can't login with that.

What are my options? How can I sign in with my azure ad credentials. Would I have to use AzureAd instead of Hybrid?

If that happens what would happen for the users when they return to the office for example if they wanted to print or access a file share or run an internal app that authenticates to ad.

Accepted answer

3 additional answers

Your answer

Answer 1

Jason Sandys 31,411 Microsoft Employee Moderator

How can I sign in with my azure ad credentials.

The systems must be fully Azure AD domain joined for a user to user their AAD account directly.

If that happens what would happen for the users when they return to the office for example if they wanted to print or access a file share or run an internal app that authenticates to ad.

In nearly all cases, it just works. See https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso.

As a note, none of this has anything to do with Autopilot.

Jacques Bensimon 1 Reputation point

2021-12-20T19:33:32.01+00:00

By "fully Azure AD domain joined", do you mean "only Azure AD joined and not Hybrid-joined"? Once a machine is hybrid-joined, it seems AD and AAD user credentials become synonymous with each other and logon using either one requires network or VPN access to a domain controller (at least on the first occasion in order to cache the AD credentials, policies, etc.)
Jason Sandys 31,411 Reputation points Microsoft Employee Moderator

2022-01-03T20:16:09.767+00:00

Once a machine is hybrid-joined, it seems AD and AAD user credentials become synonymous

This is not correct. HAADJ endpoints are only "joined" top the on-prem AD domain and thus on-prem AD user credentials must be used. AAD Connect will sync your on-prem AD accounts to Azure AD so it may seem like you are using an AAD account to login but you aren't and cannot. Thus, nothing changes about the login requirements for an HAADJ endpoint from a classic on-prem ADJ endpoint.

Answer 2

Timmy Andersson 411 MVP

Another way might be to use the fairly new feature in Autopilot "User driven hybrid azure ad join over VPN"

https://learn.microsoft.com/en-us/mem/autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support

https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/

I'm not sure if that works together with white glove tho, I haven't tested it.

Answer 3

parisv 21

I think ultimately we want to move away from a local domain so would prefer users to authenticate with their azure ad credentials but am left wondering how things would work once in the office.

Answer 4

parisv 21

Thanks for the link I have modified the title.

Share via

hybrid join but can users sign in to laptop with AzureAD credentials?

3 additional answers

Your answer