Forum Discussion
Logging into Azure AD only computer with on-prem AD based certificate on smart card
We're making the move to deploying Azure AD only devices but we're running into real issues getting authentication to work using our smart cards (we're a federal gov agency) for our user accounts whi...
Jason_Sandys
Microsoft
Microsoft> Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at all
Just to make sure there's no ambiguity here, this is completely expected and by design. You must use an AAD user identity to log into an AAD joined Windows endpoint. You can sync your on-prem AD accounts to AAD thus making those accounts "hybrid" user accounts that exist in both AD and AAD and which makes it seem like you are using an on-prem AD account to login, but you cannot directly use an on-prem AD account/identity.
Just to make sure there's no ambiguity here, this is completely expected and by design. You must use an AAD user identity to log into an AAD joined Windows endpoint. You can sync your on-prem AD accounts to AAD thus making those accounts "hybrid" user accounts that exist in both AD and AAD and which makes it seem like you are using an on-prem AD account to login, but you cannot directly use an on-prem AD account/identity.
Hey Jason,
So our user accounts are also synced to Azure AD but for authenticating to anything in our Azure tenant we pass through ADFS using our x509 certs from our cards and that seems to be where this runs into an issue and we're having a real problem even getting a declarative statement from anyone that this just isn't possible unless that usage changes.
So our user accounts are also synced to Azure AD but for authenticating to anything in our Azure tenant we pass through ADFS using our x509 certs from our cards and that seems to be where this runs into an issue and we're having a real problem even getting a declarative statement from anyone that this just isn't possible unless that usage changes.
- and we could push for whatever changes (or additions) might be needed to get this working on our config but we don't know what to ask for to be able to get it working (or to get some acceptable alternative put in place).
- Jamie,
Have you, or your Microsoft personnel, opened a support case?- Hey Roy,
Yes we've been working a case with Azure Identity support since October and haven't got anywhere. That's what spurred me to reach out here on the office hours because it seems we may not have the right people engaged and if I needed to I could request our TAM to reach out to other resources that might be able to provide us with more specific help on the options here.
