I'm trying to set up a system where users can log into our on-prem resources using only their Entra ID accounts, without going hybrid. The identities are currently synced from on-prem using AAD Connect. Our servers are compatible and fully patched. Is the following the correct approach to achieve this? 1. Enable Cloud Kerberos Trust by setting the custom OMA-URI. 2. Set CloudKerberosTicketRetrievalEnabled to true through its custom OMA-URI. 3. Install the AzureADHybridAuthenticationManagement module. Would appreciate any advice or confirmation on this!
3 Answers
We just followed the Microsoft guide as well and didn’t run into any problems with our implementation. Everything went smoothly for us!
Could you provide a bit more detail on any issues you're facing? If it's not working, what errors are you seeing? Simply stating that it isn't functioning is a little vague!
Yeah, following the Microsoft guide is the way to go, and your plan looks solid! We've been running it for about 8 months without any authentication issues. Here's the link to the guide again for reference: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune
Thanks for the info! Does your setup work without needing the WHFB PIN and biometric authentication? We want to avoid those options.