![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 11%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Hello @Danny Arroyo ,
Thanks for reaching out and apologize for delayed response.
Please find my inline answers below:
Questions/Concerns:
- I am trying to setup an environment where users will never have a problem logging into their Hybrid AD Joined Device. As I understand it, when a device is Hybrid AAD Joined, the user must login with their on Prem AD account credentials (as opposed to their AAD User account). This is fine for a user who logs onto a device for the first time with Always on VPN enabled and for a user that has their on Prem AD Account password cached. But as an example, lets say a user's on prem AD account password has expired (and their on prem AD account password is cached locally). A user may feel like "Well I can still login, so I'm not going to change my password".
Over a month passes by where the user was out of the virtual office without using their work device. They come back to the virtual office and as luck would have it, we are having a serious problem with our VPN. At this point the cached password has expired (in addition to the on Prem AD account password) and the user does not have a VPN connection to reach the DC, so login is denied. The only option would be having the user login with a local account. However, we want to try to avoid this type of call (if possible).
Rare case, but sometimes things happen (Murphy's Law). If we go with Hybrid AD Join , what are the chances of a user being in a situation where they cant login to their device?
[Ans] : In any case cached password in the computer is updated only when computer connects to DC.
Do you use PHS, PTA or ADFS?
Think of this scenario – The password of an user account has expired and the device cannot connect to DC. No password expiry warning will be prompt out when user log onto the device with the old password. The user is not able to change the password because the connection is DC is unavailable. Thus, the user needs to use the old password to log onto the device (It is feasible because of the local cache). This user now wants to access certain apps with device based CA policy enabled.
- If you are using PHS for authentication, you will still be able to access those apps. As if we PHS, password hash is synced to AAD from AD. No password change happens in AD as well as in AAD. Authentication to AAD with old password will still success. The device can also get the AAD PRT. When assessing CA policy, it will still recognize the device as a hybrid join device.
- If you are using PTA for authentication and you have enabled Password write back, you are able to change the password on the cloud. You are able to access those apps. In this scenario, you need to logon the device with the old password and access the app using the new password which is annoying.
If you haven’t enabled password write back, you are not able to access the app. It will prompt out the following message “Your organization doesn't allow you to update your password on this site. Update it according to the method recommended by your organization, or ask your admin if you need help." After you update your password on the cloud, the new password will be written back to your AD”. - Also for ADFS, you are not able to access the app.
/
Other Questions/Concerns:
- We have been manually installing our VPN client on our laptops and some desktops (the desktops that were sent to user's homes). I plan to enable the policy for Always On VPN in MS Intune. Will there be any issues if the vpn client is already installed on a specific device when MS Intune goes to push the VPN Client?
[Ans]: There shouldn’t be any issue.
- let say that we join our on prem Domain Joined Windows 10 devices as AAD Joined instead of Hybrid AAD Joined. In that case a user can login with their AAD user account, correct? (as long as the AAD user object exists and the user account is in the provisioned AD Group, of course)
[Ans]: Yes, you are right user can login with their AAD user account. To learn, read “Plan your Azure AD join implementation.”
Is it safe to assume that the user can also login to the same (on Prem Domain Joined) device with their on prem AD account credentials?
- If #3 and #4 are true, then will the user have 2 User profiles on the machine, accordingly?
[Ans]: Yes, users would have 2 different profiles on the machine.
I believe that performing an AAD join requires the user to goto "Accounts/Work or School" and clicking the "+" sign to perform the AAD Join. It also means that we cant use on Prem GPO's to manage our device settings. Are there any other issues that we will experience when we perform an AAD Join on an on Prem Domain Joined AD? Do we have to remove the device from the on Prem Domain before we AAD Join? Or remove all the on Prem GPO settings before we AAD Join?
[Ans]: Yes, “DomainJoined” and “AzureAdJoined” coexist on same Win10 device is not supported, You need disjoin current domain join, in order to joining the computer to AAD.
Azure AD Join can be deployed by using any of the following methods:
• Windows Autopilot
• Bulk deployment
• Self-service experience
Hope this helps. Thanks.
----------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.