Blog Post

Microsoft Entra Blog
6 MIN READ

Cleaning up the #AzureAD and Microsoft account overlap

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Sep 07, 2018
First published on CloudBlogs on Sep, 15 2016 Howdy folks, We receive pretty regular feedback about how the split between our cloud identity systems — work/school accounts in A...
Updated Jul 24, 2020
Version 5.0
Product Announcements
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
DonQuixoteAAD's avatar
DonQuixoteAAD
Copper Contributor
Jun 02, 2019

I would love to understand how you use NLA with AAD if the local machine is not domain joined.  It seems like in the Microsoft account case, it is easy out of the box - ie, if the remote machine has NLA turned on, is not AAD domain joined and has the Microsoft account added to it and that account is in either administrator or remote desktop users group, then it can accept a connection from that account from a local computer where the user enters those credentials to connect.

 

In AAD, this use case is soul crushing - at least for me.  Here is my example:  

I have added Guest user from don.quixote@windmill.com (which is an AAD tenant)  to the AAD tenant holygrail.com   

I have made don.quixote@windmill.com a global admin on holygrail.com

 

So, on the one hand, Windows 10 tells you how unsecure turning of NLA is - but if I turn it on, then unless the local machine is also domain joined, I am unable to connected to a remote machine that is AAD joined from a local machine that is not with NLA on - but would greatly appreciate any help with the specific procedural documentation as to how the local and remote machines need to be configured to enable this use case. 

 

Thanks.

Can AAD tenant holygrail.com  guest user don.quixote@windmill.com log into a Windows 10 machine which is joined to holygrail.com as guest user don.quixote@windmill.com  ?

 

because this use case does not work for me so would appreciate either no this doesn't work in Windows 10 and despite the terabytes of documentation on Azure B2B, it isnt referring to this core feature that is soul crushing me or ….Yes and here is the procedure other than what I have done above.... much appreciated.

 

I understand that it is possible that the functionality you see with Microsoft accounts and Windows 10 is more complicated when trying to accomplish that with AAD - not sure, because there is almost ZERO documentation out there that hints at this issue - but for example, when you add a Microsoft account to a machine - it shows up everywhere a local account does in terms of being a "user" you can add to groups, etc.  but an AAD account doesn't work that way - you need to add it to groups via command line and again, only when the machine is domain joined and you can only add "users" of the AAD tenant, not guest users of an AAD tenant to an AAD domain joined machine - at least that is my experience.