I have a bit of a technical question: is it viable for hybrid joined devices to authenticate users via Entra during the login process, particularly for on-prem AD users, if Active Directory isn't accessible? This could be the case if someone is working remotely and isn't connected to a VPN. Just curious about the authentication options if there's no access to AD.
3 Answers
Nope, hybrid joined devices can’t use Entra for that. However, if you have an Entra-only joined device, a synced user can still access AD resources if cloud tokens are turned on. You might want to look into that if you're considering a shift!
Unfortunately, hybrid joined computers rely on Active Directory for authentication. If you're dealing with first-time logins or new passwords, you need visibility to a domain controller to cache those credentials. The DC must verify the new credentials first. If you’re grappling with remote access and DC visibility issues, transitioning to Entra-only joined devices could be the way to go. That way, you’d automatically have full access to domain resources without the hassle.
Thanks; I figured that was the case!
Ironically, our issues have been more related to Intune management not deploying during pre-logon due to the flakey VPN—especially on a few devices. We’re aiming to switch to Entra join only as we move towards AutoPilot soon; I hope that transition goes smoothly.
Honestly, I don’t think it’s possible. If AD isn’t reachable, the device will just use cached credentials instead. That seems to be the standard fallback since the computer needs access to a domain controller to handle new logins or password changes. It would usually just accept what’s saved if AD is down.
Mostly just trying to figure out first-time user logins and the whole password expiry thing during sign-ins. Our VPN has been acting up during pre-logon, so I was wondering if ditching it might smooth things over, especially since cloud management is on the rise.
Do you have a link for more information on that?