Curious how Azure AD Connect with PTA/3SO and MFA are handled from a remote employee without having logged into the network.
If users are remote for more than 90 days and do a password reset and have cached credentials, how does Office 365 PTA and seamless single sign on handle those users? Does logging into a Microsoft service like Office 365 sync those creds to be active?
I also have a second question along the same lines. If we hybrid azure ad join our PC's and the PC's have not checked in with AD, how do they confirm the join?
Ensure that the corporate device is joined to the Active Directory domain.
Ensure that the user is logged on to the device through an Active Directory domain account.
Ensure that the user's account is from an Active Directory forest where Seamless SSO has been set up.
Ensure that the device is connected to the corporate network.
Ensure that the device's time is synchronized with the time in both Active Directory and the domain controllers, and that they are within five minutes of each other.
So in the case of "remote" users, SSO will always fail and PTA will trigger. As long as they are able to correctly authenticate and get a token, they should not see another prompt for the next 90 days or so, which is the default validity period for refresh tokens.