I've started joining some Surface devices to Entra, but I'm running into trouble with users not being able to sign in while connected to our network. They can sign in without issues when they're off-network using a hotspot.
Initially, I suspected that our firewall might be the culprit, but my logs show that nothing is being blocked. I can see the devices trying to connect to login.microsoftonline.com in my logs.
We're still using on-premises domain controllers and are syncing our AD accounts to Entra with a sync tool. Since the devices are mostly virtualized, they don't need to be domain-joined, but we need them to sign in via Entra.
Does anyone have any ideas on what could be causing these issues? Do the devices need to be hybrid joined for any specific reason?
3 Answers
When you say users can't connect, are they unable to access any on-prem resources? Are they being prompted for a username? From my experience in managing hybrid Azure/On-Prem setups, there can be confusion about what needs local authentication versus what uses SSO. Sometimes it helps to treat connected devices like they're on a non-domain joined system and ensure users know how to enter their credentials correctly.
It’s often a DNS issue. When the devices are connected to your domain network, check which servers they're using for authentication. I suspect your local domain controller might be handling the authentication requests and may not be set up to forward them to Entra properly. Also, since the devices work fine on guest Wi-Fi, it points to DNS configuration issues since guest Wi-Fi bypasses the internal DNS.
Yeah, I had one of the techs connect to guest Wi-Fi and it works as well. I think it does have something to do with our DNS.
Just to confirm, these devices aren’t joined to the on-premises Active Directory, right? Because it’s important to clarify that, especially if there are LDAP connections being made to your DCs for some reason.
Correct, they are only Entra joined. I don't want them hybrid joined, but I'm seeing some LDAP activity to the DCs.
No, I mean the laptops can't sign in with Entra credentials while connected to our network.