Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Is it possible to use Azure AD without internet

Copper Contributor

Hello Experts

Mine is more of a business user kind of question and not from a technical question. We want to use some Access and Identity management system for our company (about 50 users and using mostly windows 10). Recently we were audited for some compliance and the auditor recommended a Active Directory services where we could control the users (active/inactive) and have info on what softwares have been installed on that machine. They also recommended we can use Azure AD. We tried with the Free version and it works when the PC/laptop is connected to internet. When its not connected, the users are not able to logon. Before investing or investigating further I want to check if it is possible to have Azure AD work without internet, ie can the users login to their machines even if it not connected to internet. Any help is appreciated. 

7 Replies
best response confirmed by anand_s (Copper Contributor)
Solution
Hi Anand, By design this should work with cached credentials, so once a machine is Azure AD joined and the user on the device successfully logged on to the device, you could disable the network connection and logon again. Even without a connection to Azure AD.

Thanks a lot Bert for your quick reply. One more question, when we delete the user in AD Azure, the user is still able to login using the old credentials. The user is connected to internet and we believe the event of deleting the user has not synced/broadcast-ed. Any thoughts on this?

 

Thanks

Anand

Thanks a lot Bert for your quick reply. One more question, when we delete the user in AD Azure, the user is still able to login using the old credentials. The user is connected to internet and we believe the event of deleting the user has not synced/broadcast-ed. Any thoughts on this?

 

Thanks

Anand

I am sure that you can't able login after federation service (AD-FS between Azure AD and Domain Joined Computer through internet) connectivity restored between Azure AD with domain joined computer.

Thanks
Vinoth K

@Vinoth_Azure 

Hello,

I have a little bit similar question. I have AAD joined device, on-prem(ADDS) user synced to AAD and ADFS. Question(I cannot find answer), how it is working in the situation: User is signed to the computer, he turn off the computer and travel to holiday. When he starts the computer (14 days later) on the hotel (without internet connection) is he able to log in to Windows? Is there any exact time for credential caching - how long can computer keep the user credentials (authenticated over ADFS) keep for user login?

Thank you for answers or ideas..

Yes, the user will be able to log in to Windows 14 days later on the hotel (without internet connection) if the device is Azure AD joined and the user is synced to Azure AD and ADFS. The user's credentials will be cached on the device for up to 14 days, so they will be able to log in without an internet connection.

Here is how it works:

When the user signs in to the device, their credentials are cached on the device.

The device then connects to Azure AD and authenticates the user's credentials.

Azure AD then sends a token back to the device, which the device uses to authenticate the user for the next 14 days.

If the user's device is not connected to the internet for more than 14 days, the user will not be able to log in without re-entering their credentials.

Here are some additional things to keep in mind:

The 14-day credential caching period is the default value. You can change this value in Azure AD by going to Settings > Devices > Conditional Access > Session control > Maximum session age.

If the user's device is lost or stolen, you can revoke the user's access to Azure AD by going to Users > Active users > select the user > Manage > Revoke access.

You can also configure Azure AD to require users to re-enter their credentials every time they sign in. This can be done by going to Settings > Devices > Conditional Access > Session control > Sign-in frequency.

@Vinoth_Azure I have a privileged Access Management solution. I want to integrate azure active directory account. So here I have two questions:

i. Is there any internet connection mandatory, I mean PAM solution needs internet for this? I think minimum its needed during configure time but can I continue always?

ii. If the end-user/admin has internet then is it accessible for all time?

Tell me if am I right or wrong, PAM Adding the user credential and its record admin activity. PAM has a connection with the user and it will show the portal access link. In the PAM server no internet means it will not be accessible on that server but user can access that Azure Active directory server.

If you fell complexity to understand then inform me, i will show you by drawing process.

1 best response

Accepted Solutions
best response confirmed by anand_s (Copper Contributor)
Solution
Hi Anand, By design this should work with cached credentials, so once a machine is Azure AD joined and the user on the device successfully logged on to the device, you could disable the network connection and logon again. Even without a connection to Azure AD.

View solution in original post