In the part 1 blog , I talked about the mechanics of joining Windows 10 devices to Azure AD. Now let’s shift focus and talk about the impact of doing it. I already mentioned that Azure AD doesn’t provide management capabilities (those should be provided via Intune, System Center Configuration Manager, or other management tools). But what about authentication with existing on-prem resources like web servers, file servers, etc.? That’s the focus for this post.
Let’s start with the basics, things that you expect to “just work” because of Active Directory: users in AD, signed into devices joined to AD, accessing resources in AD. Behind the scenes, Windows 10 talks to an AD domain controller to get a Kerberos TGT (ticket-granting ticket), which can then be used to access AD-joined resources. No big surprise, these work just fine:
So, let’s then look at another scenario: Using the same AD-joined servers, let’s try using an Azure AD-joined device, where the user is signing into the device using an Azure AD account that has been synchronized with the AD domain. What do you expect to happen in that case? Before answering that question, let’s dig in a little deeper on what happens when you sign into an Azure AD-joined device. Instead of talking to an AD domain controller, it talks to the Azure AD service, which provides a PRT (Primary Refresh Token), which can then be used to access Azure AD-protected resources.
But what about AD-joined resources being access from an Azure AD-joined device? The PRT doesn’t do any good in that case, because AD doesn’t know anything about it. So to make this work, Windows 10 performs an extra step: When it sees that it is on a network with an available AD domain controller, it reaches out to that server to get a Kerberos TGT. So now it has everything it needs to access both: a PRT for Azure AD, and a TGT for AD.
But how does this work? Through the magic of Azure AD Connect, Windows knows the AD domain name (synchronized from the on-prem AD into Azure AD) and can use that to look for an AD domain controller. When it finds an AD domain controller, it can they get the TGT needed to access AD-joined resources. Let’s look at the results:
No surprises, you can successfully authenticate, although you might need to help some tools locate the AD domain you are trying to administer or the resource you are trying to access (if it’s located using AD).
By default, devices joined to Azure AD will be enabled for Windows Hello for Business, which enables devices to sign on using a PIN or biometrics. (You can turn it off via MDM policies, but you’re not doing your users any favors by doing so – avoiding passwords is a great thing.) This works well when accessing only Azure AD resources, but does have some implications when accessing AD-joined resources.
For me, this was definitely a learning experience, pouring over the Windows Hello for Business documentation , including a detailed deployment guide . I could probably write several blogs about that, but I’ll just provide the cliff notes here:
Once you have either a key trust or certificate trust set up and properly configured (took me several days to get the CRL right), then all the above tests work just as they did without Hello for Business:
Also note that you might choose to leverage something like the Azure AD Application Proxy to access internal web apps. With that, you can authenticate using Azure AD (including support for multi-factor authorization) and let Azure handle the internal authentication and redirection for you (no client-side VPN required). And as announce last week, you can now configure these apps using PowerShell; see https://cloudblogs.microsoft.com/enterprisemobility/2018/02/15/faster-application-deployment-in... for more details.
For those afraid of joining devices to Azure AD because of the number of Active Directory-secured apps, services, shares, etc. that are being used in your environment, I think you’ll be presently surprised at how well it can work. Obviously your results may vary (people always find creative ways to configure things, so there’s definitely a chance that some apps might not work, at least not without some reconfiguration), so you still want to do some testing on your own. But it will likely work well enough for you to try it out yourself – take a few devices, maybe even your own primary device, and join it to Azure AD to see what happens. (See part 1 for more details on that.)