Logging into Azure AD only computer with on-prem AD based certificate on smart card

Question

We're making the move to deploying Azure AD only devices but we're running into real issues getting authentication to work using our smart cards (we're a federal gov agency) for our user accounts which come from on-prem AD. While we do have MS resources we're working with we seem to be having a hard time finding the right MS resources that can assist us in getting all the components configured correctly (in Azure AD etc) for this to work (or determine if it is even possible). So I wanted to see here if there may be some recommendations on resources that we might be able to leverage to get this effort moving forward? Any help is appreciated. Also all on-prem devices are Hybrid AD joined and everything is co-managed and there are no issues there.

Thanks,

Jamie

roy barton · Answer

Hey Jamie! Thanks for reaching out. If I read this correctly, I think the answer to your question is in in the Temporary Access Pass found in the Intune Service. Take a look at this https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass and let us know if this helps.

jamiehosley · Answer

Hey Roy,Thanks for this, that might be what we need, this has ended being a real difficult hurdle for us to get over. Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at all and we're also moving forward with some special projects that utilize HoloLens's so it's a growing need for us to figure this out. I really appreciate the info.

jason_sandys · Answer

&gt; Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at allJust to make sure there's no ambiguity here, this is completely expected and by design. You must use an AAD user identity to log into an AAD joined Windows endpoint. You can sync your on-prem AD accounts to AAD thus making those accounts "hybrid" user accounts that exist in both AD and AAD and which makes it seem like you are using an on-prem AD account to login, but you cannot directly use an on-prem AD account/identity.

jamiehosley · Answer

Hey Jason,So our user accounts are also synced to Azure AD but for authenticating to anything in our Azure tenant we pass through ADFS using our x509 certs from our cards and that seems to be where this runs into an issue and we're having a real problem even getting a declarative statement from anyone that this just isn't possible unless that usage changes.

jamiehosley · Answer

and we could push for whatever changes (or additions) might be needed to get this working on our config but we don't know what to ask for to be able to get it working (or to get some acceptable alternative put in place).

Forum Discussion

Logging into Azure AD only computer with on-prem AD based certificate on smart card

7 Replies

Resources