Win 10, Domain Joined, Hybrid AD Join, Login without DC

Joe Robinson 1 Reputation point

Greetings: I have a scenario that I believe should be possible, but I was hoping if someone could confirm. Environment is an on-prem forest, thousands of machines. We have a footprint in azure with AD Connect synchronizing. Machines are Hybrid AD Joined.

| Device State | 
AzureAdJoined : YES 
EnterpriseJoined : NO 
DomainJoined : YES 
DomainName : <netbios domain name> 
Device Name : <machine.fqdn> 

I'm looking to find a way to get a user into a new device once they receive it. They will not have visibility to a domain controller, but they should have internet access with an azure ad account sync'd from AD Connect.

To be clear, I'm not looking to gain access to any specific resources on prem - I just need to get the user logged into the machine.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,650 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,144 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,740 questions
{count} votes

2 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 15,961 Reputation points

    @Joe Robinson Thanks for reaching out. if your machines are hybrid AAD join, the device must be line of sight of domain control in order to be able to login using on-prem account.

    If you need to login with AAD account, the device needs to be AAD joined. For any on-prem synced account, the device still needs to be able to get to a DC.

    You can use a VPN profile from a MDM like Intune to be able to allow the login.


    If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

  2. Tiago Quadra 1 Reputation point

    Hijacking someone else topic here.

    I am facing the same challenge/requirement. I want my users to be able to log in to a remote device before the credentials are cached from the on-prem DC (that required VPN).

    I did not try the autopilot yet, all devices were already provisioned and on-prem joined only, we are moving to the Hybrid Join setup.

    So, the devices were joined to the on-prem domain using VPN. The device object is synced to Azure AD using Ad Connect Sync. The hybrid join is working and confirmed (as far as I can tell, from SSO, status on Azure AD, dsregcmd /status). Intune also working (enrollment using GPO).

    I was able to log in as a new user (non-cached credentials) on some devices, but some didn't work. So far unable to understand what's the difference between both, but it looks to me the non-cached/unreachable on-prem login is possible for Hybrid Joined devices.

    Just posting to FYI and maybe someone has suggestions as to troubleshooting what can be different in each device that causes the different behaviour.