DannyArroyo-3073 avatar image
0 Votes"
DannyArroyo-3073 asked DannyArroyo-3073 action

How do I join my Windows 10 devices as "Azure AD Joined" and the proper way for Users to login to these devices.

Hello, As with many other institutions, we are planning to join our Windows 10 desktops to Azure AD and autoenroll into MS Intune. We have an on Prem AD and would like to Hybrid Join our Workstations. We have a VPN setup for remote access to the office. The only machines currently joined to AAD are the test devices I have been using. I have tested joining via "Accounts/Access Work or School" but I prefer the on Prem GPO method (with a group of machines in "Security Filtering") because its less user interaction. We have Azure AD Sync running on our DC. We also setup a user group that is associated to the "Device Restrictions Policy" and our "Compliance Policy" in MS Intune.

We have three types of machines as shown below:
1. Office Desktops that have been moved to employee's homes. These machines are joined to on Prem AD
2. Office Laptops that are being used in employee's homes. These machines are joined to on Prem AD and may also be AAD Registered because the user logged into OFfice365.
3. Brand new laptops that are sent directly to employee's homes. These laptops are being joined to on Prem AD. They may also be AAD Registered because the user logged into OFfice365 or entered thier work email during the initial setup of Windows.

My questions are:

  1. Will Hybrid AAD Join work well for all three categories of machines listed above?

  2. Once a machine is Hybrid Joined, will the user be able to login with their on Prem AD credentials ( For ex. If we enable always on VPN and the user logs in using on Prem AD credentials. Also will the user have the option to login with thier AAD credentials ( For ex. If a user tries to login while wifi is connected but the VPN is not connected.

  3. Lets say an on Prem domain joined laptop/desktop is sent to a user's home. This user has never logged into this device but the device is Hybrid joined (Via the on Prem GPO settings). Will the user be able to login with AAD credentials being that there are no on prem cached credentials and VPN is not enabled?

  4. Also will the local user profile be different for the AAD login vs on Prem AD login?

  5. We use Google Apps and allow our users to enable email alias'. The email alias is stored in the on Prem "mail" attribute. A custom on Prem AD attribute is populated with the by our Identity System (in order to have a record of the default email address). Of course, the userPricipalName contains the It seems that this may cause some issues because some users are entering thier default email address and others enter thier alias. Can AAD accept both mail attributes and associate them to the same AAD user? Any advice is appreciated.

  6. We want to use MS Intune to enable Always on VPN. Any advice is appreciated.

  7. I have been reading that AD credentials are cached for 30 days but can be adjusted. Should we be adjusting this value in the scenario I am describing?

Any advice is appreciated.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DannyArroyo-3073 There is intune support. For this case, it is more related to Azure AD. I can only give some advice on question 6. To deploy Always On VPN, we can read the following article as a reference.

So, it is suggested to post again and only add the Azure AD tag. It will get more effective help. Thanks.

0 Votes 0 ·

@LuDaiMSFT-0289 Thanks for your response and the link.

I will re-post as you suggested.

0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered DannyArroyo-3073 commented

@DannyArroyo-3073 Thanks for reaching out, I will try to answer them according to your points.

1) Your first and second machine scenario will work provided they are under the login cached timeline (You can consider increasing it if you do not have any VPN being deployed,) third device scenario where the device has not being logged on with user and with no VPN, this would be a problem as for auth the device needs to be a LOC with the DC. Obviously this would be fixed when you start using this.

2) If the device is Hybrid AD Joined, the cred used will be Always On prem.

3) No, Hybrid Device needs to Auth the user against DC first.

4) There will be on prem user profile.

5) You need to choose one which is constant and use that instead. You can look into alternate login ID feature for reference.

6) Enable Auto enrollment to Intune, so that the device which gets to AAD via AAD joined or Hybrid AAD joined, gets auto enrolled to Intune. You can then use a dynamic device group to push out that Always on policy. Check this reference article for creating A VPN profile for hybrid

7) Only if you think the user is going to be that delayed in logging in the second time. No issues if you plan for VPN for hybrid as then this would work even in password change scenarios.

Let me know if you have some other questions.

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@vipulsparsh-MSFT Thanks for your quick reply. Great information. Especially the "Alternate Login ID Feature". I am currently reviewing these links with the team.

Some other concerns I have:

  1. We have been installing our VPN client on our laptops and some desktops (the desktops that were sent to user's homes). When I go through the process and enable always on VPN, will there be any issues if the vpn client is already installed?

  2. Lets say that we join our on prem Domain Joined Windows 10 devices as AAD Joined. In that case a user can login with their AAD user account, correct? (as long as the AAD user object exists and the user account is in the provisioned AD Group, of course)

  3. Also the user can login to the same device with their on prem AD credentials, correct?

  4. If #2 and #3 are true, then will the user have 2 User profiles on the machine, accordingly?

0 Votes 0 ·
DannyArroyo-3073 avatar image
0 Votes"
DannyArroyo-3073 answered DannyArroyo-3073 published


I also don't want a user calling to report that they cant login to their device. For example, lets say a user's on prem account password has expired (and their on prem AD password is cached locally). A user may feel like "Well I can still login, so I'm not going to change my password".

Over a month passes by where the user was out of the virtual office without using their work device. They come back to the virtual office and as luck would have it, we are having a serious problem with our VPN. At this point the cached password has expired (in addition to the on Prem account password) and the user does not have a VPN connection to reach the DC, so login is denied. The only option would be having the user login with a local account, but we want to try to avoid the call (if possible).

Rare case, but sometimes things happen (Murphy's Law). If we go with Hybrid AD Join , what are the chances of a user being in a situation where they cant login to their device?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.