Nov 19 2019
- last edited on
Jan 14 2022
So we sync our AD w/ Azure AD Connect and I have Password Hash Sync enabled. I can't seem to login to any Windows 10 Azure AD joined computers with accounts that are synced. I was able to create a cloud only account *.onmicrosoft.com account and it works. Is it possible for the accounts that are synced from AD -> Azure AD to authenticate? Is there something special we need to make this happen?
Nov 20 2019 08:30 AM
@AJ Kertis what UPN are you creating on the Azure AD side for your users? And does it match the upn for the user in your on prem AD?
If you are trying to syn a upn like email@example.com and you have not added the domain yourdomain.com to your Azure tenant, then the sync will automatically default to first.last@*.onmicrosoft.com
Nov 22 2019 01:34 AM
first you create your tenant "name".onmicrosoft.com
second you have to add your custom domain like "yourdomain.com" to your tenant
3rd your onprem UPN needs to be firstname.lastname@example.org - if its not than please add it to your onprem AD and change your upn (be careful that needs to tested)
4th you install AdConnect and sync your user
5th if this is successfull than you are able to see your users in aad ->users with same upn just like in your onprem-AD
6th try to login to portal.azure.com or myapps.microsoft.com with email@example.com
7th you also be able to login to your domain-joined-devices with firstname.lastname@example.org
Nov 22 2019 08:12 AM
I am not realy sure if this is possible. Because your users are onprem. You configered adfs. When you try to login then you will redirected to your onprem AD. Your devices are only known to aad. Your onprem Ad do not know these devices so you can not login... so your users are in ad (when you use adfs it doesn't madder if your are sync your password hash) and your devices not. I would join the devices to your on Prem ad and sync these to azure ad. then you have hybrid-joined devices... https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/devices/hybrid-azuread-join-federated-d...
on these devices you can login with your synced users!
Dec 03 2019 08:10 AM
@Tommek I was under the impression that the hash sync fixed this so the password hash was in the cloud. Is this not the case? We have that enabled with Azure AD Connect. Also, I want to login through Azure AD because I will have some Azure VMs joined to Azure AD. I can't seem to find a straight answer if the password hash sync will allow the password to be the same in the cloud as on prem AD.
Dec 05 2019 04:34 AM
ok.. maybe i missunderstood... When you use ad connect to sync your user(with password hash) from onprem ad to aad then you are able to login to your onprem Domain and to azure ad with same upn. example email@example.com. When you use adfs then you do not need to sync your passwords, only user objects. then you are also be able to login on prem and in aad with same upn. But it is important that your upn is correct. for example: firstname.lastname@example.org will be synced to aad. When in your tenant domain.com is not available, then your user upn will be changed to user@"name.onmicrosoft.com"
Dec 08 2019 10:58 AM