7 Replies

  • The benefit is you can communicate with AD and AAD at the same time.

    The downside is exactly what you're questioning... what wins out at any given time, Intune or GP. If it doesn't randomly puke and not auth a workstation login randomly, for seemingly no reason.

    Hybrid-join should just be consumed by fire. I'm a big AAD-join fan if you can make the leap, it's amazing for so many modern auth reasons. Otherwise stay AD-join. Hybrid-join was an OK idea, I get it, but it's the worst of both worlds, it's just awful.

    Was this post helpful? thumb_up thumb_down
  • Wow.  We like Hybrid-Join.  The main benefit is allowing us to keep our local AD infrastructure and still get the benefits of Azure.  We have moved all third-party web services to Azure authentication based on membership in local AD security groups.  Users can log on to campus resources and cloud resources using the same credentials. Azure also has lots of other benefits depending on your licensing level.

    Was this post helpful? thumb_up thumb_down
  • You can create a configuration profile in Intune to specify whether Intune policies settings are used over group policy. The configuration setting is called "Control Policy Conflict".

    1 found this helpful thumb_up thumb_down
  • sorry guys my bad explanation. So I want to know whether a user can log in to the hybrid joining machine from home using their Email.? who hasn't got any cache credentials on the laptop? 

    Was this post helpful? thumb_up thumb_down
  • If cached credentials are disable on a hybrid joined machine then the user will not be able to log into the laptop until a network connection is made to allow it to communicate with a domain controller.

    With cached credentials enabled the user can log in and access apps in Office 365 cloud and the hybrid join status can be used as a factor for allowing conditional access (so you could limit access to office 365 apps/data to your domain machines when not on a trusted network).

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Hmmm.  If you don't have cached credentials, you have to talk to a DC.  You could possibly address this by placing a DC (preferably a RODC) on Azure and making it accessible from the Internet, or opening a hole in the firewall to your internal DC, but both seem like really Bad Ideas to address this.  

    The best old-school solution might be to allow cached credentials with 15-character passwords.

    Or, since you will be using Azure, you might be able to go new-school and use Microsoft Authenticator on their phone to enable passwordless authentication.  When they try to log in, a message appears on their phone saying something like, "You are trying to login.  Select OK to complete login".  They hit OK on their phone and they're in.  You can also implement Windows Hello through Azure which enables a PIN instead of a password and other options. 

    I do passwordless for cloud authentication, but have not tried it for logging onto remote machines.  We allow cached credentials with complex passwords and do hard-drive encryption on laptops which might be remote.

    This was also addressed at  https://community.spiceworks.com/topic/2277001-does-azure-ad-hybrid-allow-users-to-login-to-ad-machi...

    Was this post helpful? thumb_up thumb_down
  • This is also interesting...

    Was this post helpful? thumb_up thumb_down

Read these next...