SSO on Azure without joining Azure on device with OnPremise domain

Temny Pan 6 Reputation points
2022-04-13T12:06:24.08+00:00

Hi,
I work as IT manager for a small country with own infrastructure and on prem domain. The company is now part of a big corporation where no one communicates with me directly, only sends mass emails like "every app is required to use Azure SSO now". That is an issue- I don't have Azure management credentials, and really worry about consequences and struggles joining Azure AD can bring. I tried adding Azure account to windows but got error 8018004- which I found means the device is treated like personal and joining personal devices is not allowed. But I noticed interesting thing- when I once installed MS Teams, used corporate account and checked "Allow My Organization To Manage My Device" my login method changed from domain credentials to PIN (Azure). However, I can't reproduce this method as it is now also failing with 8018004.
Why it is now failing? Can I somehow let users sign in with their Azure AD accounts? Can I still keep my domain separate from Azure AD?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,060 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Eric Woodruff 266 Reputation points
    2022-04-21T14:03:05.477+00:00

    Hi there,

    It certainly seems like your management has put you in a tough position. It sounds like you may have gone through a process of Azure AD registering your work device, which is generally not a recommended path for domain-joined devices.

    The user accounts for things such as Teams, are they sourced from a different Active Directory environment, or are they sourced from the Active Directory you have control over?

    Using either Azure AD Hybrid Join, https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join, or Azure AD Seamless SSO, https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso, are the two mechanisms for organizations to provide corporate-wide SSO to Azure AD/O365 resources.

    To set either of those up, though, you need the users to be sourced from your Active Directory environment, and you need access to the Azure AD Connect server with Global Administrator credentials to configure Azure AD Connect. If the users are in a different Active Directory domain, it further complicates things. If the users are "cloud-native", in that they are not sourced from Active Directory, the recommendation would be to go through a process of connecting them to your Active Directory users, unless there is a bigger plan to perform a domain migration with your merger & acquisition scenario.

    It may feel complicated, especially if you do not have a lot of experience with Azure AD, but sorting these things out using a recommended method is going to provide the least headache long-term. If you want to elaborate further on what the environments look like from an Active Directory perspective, please feel free to do so and we can talk this out further here.