Effect of expired machine account passwords on Azure AD domain-joined status?

Denis Hackney 111 Reputation points

If a domain-joined device is out of contact with the domain for long enough that its machine account password expires, will it also lose domain-joined status in Azure AD?

We've recently had a significant number of people take their work-issued laptops home to start working remotely (for obvious reasons) - all these devices are Hybrid Domain Joined to Azure AD, synced via AAD Connect. We have conditional access policies configured in AAD to limit access to certain apps to domain-joined devices.

Most users are regularly connecting back into the domain via VPN, so they shouldn't have any problems. The thing we're not sure about though is: if a user doesn't connect their device to the VPN (or office LAN) for so long that their machine account password expires and the device loses its trust relationship with the domain, will AD recognise that and sync the change in device status up to AAD, resulting in the device no longer showing as domain-joined in AAD, causing the user to lose access to the apps that require a domain-joined device? Or will AD not notice any change in the state of the device until it re-establishes contact, so it will continue to be recognised as domain-joined in AAD until that happens?

I've done a bunch of reading and found lots of info about machine account passwords and AAD domain-joined devices, but little if anything on how the two influence each other...

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,700 questions
0 comments No comments
{count} votes

Accepted answer
  1. Denis Hackney 111 Reputation points

    Ended up submitting a support request via the Azure portal for this one - response included below. In our case we're using PHS, so according to this we shouldn't have any problems.

    Do you use PHS, PTA or ADFS?

    The device status shown on Azure portal will not change if the password expires and it does not connect to DC. It will also show as hybrid joined. However, when device based CA policy is assessed, we check the device status with the information contained in the AAD PRT.

    Think of this scenario – The password of an user account has expired and the device cannot connect to DC. No password expiry warning will be prompt out when user log onto the device with the old password. The user is not able to change the password because the connection is DC is unavailable. Thus, the user needs to use the old password to log onto the device (It is feasible because of the local cache). This user now wants to access certain apps with device based CA policy enabled.

    1. If you are using PHS for authentication, you will still be able to access those apps. As if we PHS, password hash is synced to AAD from AD. No password change happens in AD as well as in AAD. Authentication to AAD with old password will still success. The device can also get the AAD PRT. When assessing CA policy, it will still recognize the device as a hybrid join device.
    2. If you are using PTA for authentication and you have enabled Password write back, you are able to change the password on the cloud. You are able to access those apps. In this scenario, you need to logon the device with the old password and access the app using the new password which is annoying.
      If you haven’t enabled password write back, you are not able to access the app. It will prompt out the following message “Your organization doesn't allow you to update your password on this site. Update it according to the method recommended by your organization, or ask your admin if you need help." After you update your password on the cloud, the new password will be written back to your AD”.
    3. Also for ADFS, you are not able to access the app.

    Actually we do not suggest to take hybrid joined devices out of the office but for obvious reasons we have to do this at this period of time.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Daniele Bona 6 Reputation points

    In any case cached password in the computer is updated only when computer connects to old DC.

    0 comments No comments

  2. divadiow2 1 Reputation point

    We've a similar situation. Out of 150 newly-enrolled hybrid devices in use at home, 4 have come back with domain trust failure issues. Connect the devices to internal LAN and theyre fine again straight away, without having to rejoin domain.

    Devices can see a DC from a pre-logon tunnel and from full VPN, which all connect to daily, so not sure what the issue is yet.

    0 comments No comments