Getting rid of classic on-Domain Cached Credentials for Azure device login

MFBeatnik 1 Reputation point

Hi folks, hope you can help - I've been turning up a blank for my question everywhere I look.

I would like to turn off traditional cached credentials and use AAD login/password to access the laptop when on-domain and off-domain, but I simply cannot find information on whether this is possible or not.

  • I have a normal AD domain joined laptop.
  • Traditionally, I would used cached credentials to be able to log in when "off-domain".
  • We also have ADConnect with Password Hash set up.


  • When attached to the corp network, I would like to log in with normal login (domain\user) or the Azure style UPN (user@keyman .com) and access all on-domain resources. I don't mind if we have to move to UPN only.
  • When roaming (off corp network) I would still be able to login with the same UPN, so I can get access to my local profile on the laptop, and access any resources that are still presented through AAD.

I have a hybrid joined laptop, but it will not let me log in as the user off domain (states that domain could not be contacted, as it's looking for my on-domain AD server it seems).

Is it possible? How can I achieve this?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,571 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jason Wroot 1 Reputation point

    Unfortunately there is no way around this.. a Hybrid joined laptop still has to communicate directrly (line of site) with an AD DC to update cached creds.

    The only feasible way I've seen (at the time of writing) is for a laptop to be AAD joined only.