Logging into Azure AD only computer with on-prem AD based certificate on smart card

Brass Contributor

We're making the move to deploying Azure AD only devices but we're running into real issues getting authentication to work using our smart cards (we're a federal gov agency) for our user accounts which come from on-prem AD. While we do have MS resources we're working with we seem to be having a hard time finding the right MS resources that can assist us in getting all the components configured correctly (in Azure AD etc) for this to work (or determine if it is even possible). So I wanted to see here if there may be some recommendations on resources that we might be able to leverage to get this effort moving forward? Any help is appreciated. Also all on-prem devices are Hybrid AD joined and everything is co-managed and there are no issues there.

Thanks,

Jamie

7 Replies
Hey Jamie! Thanks for reaching out. If I read this correctly, I think the answer to your question is in in the Temporary Access Pass found in the Intune Service. Take a look at this https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporar... and let us know if this helps.
Hey Roy,
Thanks for this, that might be what we need, this has ended being a real difficult hurdle for us to get over. Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at all and we're also moving forward with some special projects that utilize HoloLens's so it's a growing need for us to figure this out. I really appreciate the info.
> Authenticating/logging into the Azure AD only device works fine with an Azure AD only user account, but using our existing on-prem accounts has not been something we've been able to get to work at all

Just to make sure there's no ambiguity here, this is completely expected and by design. You must use an AAD user identity to log into an AAD joined Windows endpoint. You can sync your on-prem AD accounts to AAD thus making those accounts "hybrid" user accounts that exist in both AD and AAD and which makes it seem like you are using an on-prem AD account to login, but you cannot directly use an on-prem AD account/identity.
Hey Jason,
So our user accounts are also synced to Azure AD but for authenticating to anything in our Azure tenant we pass through ADFS using our x509 certs from our cards and that seems to be where this runs into an issue and we're having a real problem even getting a declarative statement from anyone that this just isn't possible unless that usage changes.
and we could push for whatever changes (or additions) might be needed to get this working on our config but we don't know what to ask for to be able to get it working (or to get some acceptable alternative put in place).
Jamie,
Have you, or your Microsoft personnel, opened a support case?
Hey Roy,
Yes we've been working a case with Azure Identity support since October and haven't got anywhere. That's what spurred me to reach out here on the office hours because it seems we may not have the right people engaged and if I needed to I could request our TAM to reach out to other resources that might be able to provide us with more specific help on the options here.