I'm currently managing an on-premises Active Directory while also using Office 365 for email and Teams. I have Entra Cloud Connect set up to send passwords to Microsoft, but there's no password write-back enabled. All of our machines are domain-joined, and most of our remote workers are connected through a site-to-site VPN, giving them access to the domain controllers.
As our remote workforce grows, I need to disable some accounts on occasion. I know I can block sign-in via O365, but my HR team is concerned about users being able to log into their computers since the credentials might be cached locally. I can interact with machines through RMM, but that only works if they're online; otherwise, I'm just deleting registry entries.
I'm trying to determine the best steps to take in managing these computers, especially for those not on a VPN. It seems like hybrid-joining them to Entra AD might be necessary, but I'm unsure how this transition will go and whether I should switch from Entra Cloud Connect to Entra AD Connect. I'm also curious if we have the proper licenses for all this, especially when suggesting Business Premium to management.
I really want to grasp the full picture of how everything works, not just get step-by-step instructions. Any insights into how I should proceed would be greatly appreciated!
4 Answers
The crux here isn't just about syncing identities; it's about how you manage devices. If you're sticking with domain-joined machines and have no MDM in place, local cached credentials will always let users log in offline. You might want to consider moving toward a hybrid setup where devices can be managed by Entra and potentially utilize Intune for remote capabilities like locking or wiping. An IT asset management tool could also shed light on your current configurations and licensing landscapes before deciding on moving forward with a hybrid approach.
Check if your RMM tool can help clear cached credentials. The delay in disabling accounts is common, especially since IT often can't act until HR gives the green light. As for the Business Premium plan, it's around $22 per user, which covers more than just Office licenses; it might help show your management why it’s a good investment.
You might also look into disabling cached credentials through Group Policy, but this requires an always-on VPN for users who are not in the office. We've limited cached logins to one credential in our company for better security, but this can complicate access when users are traveling, so weigh the risks accordingly.
Have you considered implementing an infrastructure tunnel, also known as always-on VPN? This would integrate VPN connections into the startup process, allowing Group Policy and authentication to function even remotely. If the laptop is online, it effectively becomes part of your network, enabling access restrictions only to essential services like domain controllers.

That sounds like a solid plan! In our setup, we use the Cisco Secure client without the pre-login option, which simplifies things.