Do I need to do a domain join to avoid multiple logins?

%3CLINGO-SUB%20id%3D%22lingo-sub-2669312%22%20slang%3D%22en-US%22%3EDo%20I%20need%20to%20do%20a%20domain%20join%20to%20avoid%20multiple%20logins%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2669312%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20are%20just%20starting%20with%20InTune%20and%20using%20AutoPilot%2C%20however%20I%20see%20by%20default%20these%20new%20computers%20do%20not%20appear%20in%20the%20local%2C%20on%20prem%20Active%20Directory%2C%20so%20this%20means%20when%20staff%20rock%20up%20at%20the%20office%2C%20they%20login%20to%20their%20laptop%20but%20they%20are%20not%20on%20the%20domain%20so%20if%20they%20try%20and%20access%20a%20network%20share%20or%20a%20network%20app%20they%20are%20prompted%20to%20sign%20in%2C%20constantly%20in%20some%20casese!%3C%2FP%3E%3CP%3ESo%2C%20my%20question%20is%20this%2C%20we%20have%20a%20lot%20of%20legacy%20apps%2C%20we%20can't%20move%20fully%20to%20Azure%20just%20yet%2C%20we%20need%20staff%20working%20in%20the%20office%20on%20certain%20software%2C%20so%20do%20we%20make%20these%20new%20AutoPilot%20computers%20hybrid%20domain%20joined%20devices%20to%20get%20around%20this%20network%20prompt%3F%26nbsp%3B%20Also%2C%20when%20we%20do%20this%20will%20it%20rename%20the%20computer%20account%3F%20I%20see%20it%20assigns%20a%20random%2015%20character%20code%20as%20the%20machine%20name%2C%20but%20it%20isn't%20clear%20if%20it%20actually%20renames%20the%20computer%20itself%20or%20just%20makes%20this%20a%20reference%20in%20AD%3F%26nbsp%3B%20%26nbsp%3BAny%20help%20much%20apprecited.%3C%2FP%3E%3CP%3ETIA%3C%2FP%3E%3CP%3EStuart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2669312%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Edomain%20join%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%20Azure%20AD%20Join%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2670222%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20to%20do%20a%20domain%20join%20to%20avoid%20multiple%20logins%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2670222%22%20slang%3D%22en-US%22%3EThere%20are%20ways%20to%20get%20SSO%20to%20on%20prem%20resources%20on%20an%20AzureAD%20Joined%20device.%20See%20this%20link%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fazuread-join-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fazuread-join-sso%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20if%20you%20want%20to%20go%20Hybrid%20then%20yes%20you'll%20need%20to%20setup%20Device%20Registration%20in%20Azure%20AD%20Connect%20in%20your%20on%20premises%20Forest%2C%20and%20Hybrid%20Autopillot%20with%20the%20Intune%20Connector%20for%20Active%20Directory.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fwindows-autopilot-hybrid%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fwindows-autopilot-hybrid%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2673448%22%20slang%3D%22en-US%22%3ERe%3A%20Do%20I%20need%20to%20do%20a%20domain%20join%20to%20avoid%20multiple%20logins%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2673448%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20skip%20HAADJ%20%3A)%3C%2Fimg%3E%20...%20If%20it's%20possible%20to%20skip%20it%2C%20I%20would.%20It%20depends%20on%20multiple%20factors...If%20the%20legacy%20apps%20just%20files%20sitting%20on%20a%20share...%20no%20problem%20that%20will%20work%3CBR%20%2F%3E%3CBR%20%2F%3Eyou%20will%20need%20to%20make%20sure%20you%20have%20azure%20ad%20connect%20installed%20as%20this%20is%20necessary%20for%20the%20SSO%20from%20your%20AADJ%20devices%20to%20your%20onpremise%20servers%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20done%20a%20huge%20blog%20on%20this%20topic...If%20you%20have%20any%20questions%20about%20it%2C%20please%20send%20me%20an%20email!%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F03%2Fdeliver-us-from-hybrid%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcall4cloud.nl%2F2021%2F03%2Fdeliver-us-from-hybrid%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

We are just starting with InTune and using AutoPilot, however I see by default these new computers do not appear in the local, on prem Active Directory, so this means when staff rock up at the office, they login to their laptop but they are not on the domain so if they try and access a network share or a network app they are prompted to sign in, constantly in some casese!

So, my question is this, we have a lot of legacy apps, we can't move fully to Azure just yet, we need staff working in the office on certain software, so do we make these new AutoPilot computers hybrid domain joined devices to get around this network prompt?  Also, when we do this will it rename the computer account? I see it assigns a random 15 character code as the machine name, but it isn't clear if it actually renames the computer itself or just makes this a reference in AD?   Any help much apprecited.

TIA

Stuart

3 Replies
There are ways to get SSO to on prem resources on an AzureAD Joined device. See this link:

https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso

However, if you want to go Hybrid then yes you'll need to setup Device Registration in Azure AD Connect in your on premises Forest, and Hybrid Autopillot with the Intune Connector for Active Directory.

https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

Hi,

I would skip HAADJ :) ... If it's possible to skip it, I would. It depends on multiple factors...If the legacy apps just files sitting on a share... no problem that will work

you will need to make sure you have azure ad connect installed as this is necessary for the SSO from your AADJ devices to your onpremise servers

I have done a huge blog on this topic...If you have any questions about it, please send me an email!

https://call4cloud.nl/2021/03/deliver-us-from-hybrid/

Hi @notesguru99 , Good Afternoon,

1) I would like you to go through the below links for hybrid identity. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity 

Pass through Authentication Scenarios will Help you to Sync user account to AAD and AAD Connect responsible for authentication.

2) You can set an hostname policy in Auto pilot so this will avoid the random names for the device. This will helpful for you. 

 

Ex: 

•Device naming pattern

•%SERIAL%

•%RAND:x% (where X is the number of digits)