Azure AD Windows 10 and Azure AD Connect

Occasional Contributor

So we sync our AD w/ Azure AD Connect and I have Password Hash Sync enabled. I can't seem to login to any Windows 10 Azure AD joined computers with accounts that are synced. I was able to create a cloud only account *.onmicrosoft.com account and it works. Is it possible for the accounts that are synced from AD -> Azure AD to authenticate? Is there something special we need to make this happen? 

8 Replies

@AJ Kertis  what UPN are you creating on the Azure AD side for your users? And does it match the upn for the user in your on prem AD?

If you are trying to syn a upn like first.last@yourdomain.com and you have not added the domain yourdomain.com to your Azure tenant, then the sync will automatically default to first.last@*.onmicrosoft.com

@jasonsch69 we originally started with Office 365 but yeah the UPN used for everything Azure and Office 365 is the same as the one I'm trying to use and is set accordingly in our local AD. 

@AJ Kertis 

first you create your tenant "name".onmicrosoft.com

second you have to add your custom domain like "yourdomain.com" to your tenant

3rd your onprem UPN needs to be username@yourdomain.com - if its not than please add it to your onprem AD and change your upn (be careful that needs to tested)

4th you install AdConnect and sync your user

5th if this is successfull than you are able to see your users in aad ->users with same upn just like in your onprem-AD 

6th try to login to portal.azure.com or myapps.microsoft.com with username@yourdomain.com

7th you also be able to login to your domain-joined-devices with username@yourdomain.com 

 

 

@Tommek 

 

We do use ADFS for the azure portal. I'm able to login through azure with my email/password but it is federated. I still can't login with domain joined devices. 

@AJ Kertis 

 

I am not realy sure if this is possible. Because your users are onprem. You configered adfs. When you try to login then you will redirected to your onprem AD. Your devices are only known to aad. Your onprem Ad do not know these devices so you can not login... so your users are in ad (when you use adfs it doesn't madder if your are sync your password hash) and your devices not. I would join the devices to your on Prem ad and sync these to azure ad. then you have hybrid-joined devices... https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/devices/hybrid-azuread-join-federated-d...

 

on these devices you can login with your synced users!

 

 

 

 

@Tommek I was under the impression that the hash sync fixed this so the password hash was in the cloud. Is this not the case? We have that enabled with Azure AD Connect. Also, I want to login through Azure AD because I will have some Azure VMs joined to Azure AD. I can't seem to find a straight answer if the password hash sync will allow the password to be the same in the cloud as on prem AD. 

@AJ Kertis 

ok.. maybe i missunderstood... When you use ad connect to sync your user(with password hash) from onprem ad to aad then you are able to login to your onprem Domain and to azure ad with same upn. example user@yourdomain.com. When you use adfs then you do not need to sync your passwords, only user objects. then you are also be able to login on prem and in aad with same upn. But it is important that your upn is correct. for example: user@domain.com will be synced to aad. When in your tenant domain.com is not available, then your user upn will be changed to user@"name.onmicrosoft.com"

 

 

To hopefully clarify your understanding here, synchronising your passwords is advantageous, but doesn’t work in quite the way (I think) you are implying...

Having a copy of the password hash in the cloud when you have ADFS enables two things:

- Leaked Credential Protection
- The option to disable federation in case of ADFS failure so that users can continue to authenticate with the same username / password combination (albeit without SSO, and without delegation to your on-premises environment)

As long as federation is enabled for your domain, authentication will be directed to your ADFS servers - irrespective of the resource you are signing on to. PHS doesn’t result in some auth requests being processed in cloud, and some on-prem. My reading of your reply suggests you think this is the case?

Kelvin