Forum Discussion

AJ Kertis's avatar
AJ Kertis
Copper Contributor
Nov 19, 2019

Azure AD Windows 10 and Azure AD Connect

So we sync our AD w/ Azure AD Connect and I have Password Hash Sync enabled. I can't seem to login to any Windows 10 Azure AD joined computers with accounts that are synced. I was able to create a cl...
Active Directory
Azure Active Directory (AAD)
AJ Kertis's avatar
AJ Kertis
Copper Contributor
Nov 22, 2019

Tommek 

 

We do use ADFS for the azure portal. I'm able to login through azure with my email/password but it is federated. I still can't login with domain joined devices. 

Tommek's avatar
Tommek
Brass Contributor
Nov 22, 2019

AJ Kertis 

 

I am not realy sure if this is possible. Because your users are onprem. You configered adfs. When you try to login then you will redirected to your onprem AD. Your devices are only known to aad. Your onprem Ad do not know these devices so you can not login... so your users are in ad (when you use adfs it doesn't madder if your are sync your password hash) and your devices not. I would join the devices to your on Prem ad and sync these to azure ad. then you have hybrid-joined devices... https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/devices/hybrid-azuread-join-federated-domains

 

on these devices you can login with your synced users!

 

 

 

 

  • AJ Kertis's avatar
    AJ Kertis
    Copper Contributor
    Dec 03, 2019

    Tommek I was under the impression that the hash sync fixed this so the password hash was in the cloud. Is this not the case? We have that enabled with Azure AD Connect. Also, I want to login through Azure AD because I will have some Azure VMs joined to Azure AD. I can't seem to find a straight answer if the password hash sync will allow the password to be the same in the cloud as on prem AD. 

    • Kelvin Papp's avatar
      Kelvin Papp
      Brass Contributor
      Dec 08, 2019
      To hopefully clarify your understanding here, synchronising your passwords is advantageous, but doesn’t work in quite the way (I think) you are implying...

      Having a copy of the password hash in the cloud when you have ADFS enables two things:

      - Leaked Credential Protection
      - The option to disable federation in case of ADFS failure so that users can continue to authenticate with the same username / password combination (albeit without SSO, and without delegation to your on-premises environment)

      As long as federation is enabled for your domain, authentication will be directed to your ADFS servers - irrespective of the resource you are signing on to. PHS doesn’t result in some auth requests being processed in cloud, and some on-prem. My reading of your reply suggests you think this is the case?

      Kelvin
    • Tommek's avatar
      Tommek
      Brass Contributor
      Dec 05, 2019

      AJ Kertis 

      ok.. maybe i missunderstood... When you use ad connect to sync your user(with password hash) from onprem ad to aad then you are able to login to your onprem Domain and to azure ad with same upn. example user@yourdomain.com. When you use adfs then you do not need to sync your passwords, only user objects. then you are also be able to login on prem and in aad with same upn. But it is important that your upn is correct. for example: user@domain.com will be synced to aad. When in your tenant domain.com is not available, then your user upn will be changed to user@"name.onmicrosoft.com"

       

       

Resources