Forum Discussion
Logging into Azure AD only computer with on-prem AD based certificate on smart card
We're making the move to deploying Azure AD only devices but we're running into real issues getting authentication to work using our smart cards (we're a federal gov agency) for our user accounts whi...
Hey Jamie! Thanks for reaching out. If I read this correctly, I think the answer to your question is in in the Temporary Access Pass found in the Intune Service. Take a look at this https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass and let us know if this helps.
Hey Roy,
Thanks for this, that might be what we need, this has ended being a real difficult hurdle for us to get over. Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at all and we're also moving forward with some special projects that utilize HoloLens's so it's a growing need for us to figure this out. I really appreciate the info.
Thanks for this, that might be what we need, this has ended being a real difficult hurdle for us to get over. Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at all and we're also moving forward with some special projects that utilize HoloLens's so it's a growing need for us to figure this out. I really appreciate the info.
- Jason_Sandys
Microsoft
> Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at all
Just to make sure there's no ambiguity here, this is completely expected and by design. You must use an AAD user identity to log into an AAD joined Windows endpoint. You can sync your on-prem AD accounts to AAD thus making those accounts "hybrid" user accounts that exist in both AD and AAD and which makes it seem like you are using an on-prem AD account to login, but you cannot directly use an on-prem AD account/identity.- Hey Jason,
So our user accounts are also synced to Azure AD but for authenticating to anything in our Azure tenant we pass through ADFS using our x509 certs from our cards and that seems to be where this runs into an issue and we're having a real problem even getting a declarative statement from anyone that this just isn't possible unless that usage changes.- and we could push for whatever changes (or additions) might be needed to get this working on our config but we don't know what to ask for to be able to get it working (or to get some acceptable alternative put in place).
