Getting rid of classic on-Domain Cached Credentials for Azure device login

MFBeatnik 1 Reputation point

Hi folks, hope you can help - I've been turning up a blank for my question everywhere I look.

I would like to turn off traditional cached credentials and use AAD login/password to access the laptop when on-domain and off-domain, but I simply cannot find information on whether this is possible or not.

  • I have a normal AD domain joined laptop.
  • Traditionally, I would used cached credentials to be able to log in when "off-domain".
  • We also have ADConnect with Password Hash set up.


  • When attached to the corp network, I would like to log in with normal login (domain\user) or the Azure style UPN (user@keyman .com) and access all on-domain resources. I don't mind if we have to move to UPN only.
  • When roaming (off corp network) I would still be able to login with the same UPN, so I can get access to my local profile on the laptop, and access any resources that are still presented through AAD.

I have a hybrid joined laptop, but it will not let me log in as the user off domain (states that domain could not be contacted, as it's looking for my on-domain AD server it seems).

Is it possible? How can I achieve this?


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,750 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jason Wroot 1 Reputation point

    Unfortunately there is no way around this.. a Hybrid joined laptop still has to communicate directrly (line of site) with an AD DC to update cached creds.

    The only feasible way I've seen (at the time of writing) is for a laptop to be AAD joined only.