locked
Azure AD Joined devices comms to on-prem services RRS feed

  • Question

  • Hi

    Azure AD tenant with various domains added - companya.com, companyb.com.

    On-prem forest/domain for companya.com

    Azure AD joined Win10 devices.

    user signs in as usera@companya.com and can access resources on-prem such as fileserver.companya.com seamlessly.

    *********

    On-prem domain for companyb.com resides elsewhere.

    We don't wish to consolidate users from companyb into companya neither do we have forest trusts. End goal being that both companya and companyb relinquish from their onprem AD forests and are pure cloud / AzureAD.

    We can configure Azure AD connect in companya onprem forest to pull users from companyb.com (using a s2s vpn to target that DC). Understand without forest trusts in place we could only do password hash sync and not PTA.

    When userb@companyb.com signs into Win10 Azure AD joined device, on their local network and have line of sight to dc.companyb.com and fileserver.companyb.com would they be able to access their on-prem resources seamlessly also?

    Trying to understand the relationship between user signing in to Win10 azure ad joined device and their on-prem resources on their logically separate on-prem domain.

    Hope thats clear?

    So common azure ad tenant, win10 azure ad joined devices but logically separate on-prem domains and on-prem resources which we wish to retain as separate for the immediate future with a view to moving user and device (we can do) to the azure ad tenant as primary auth.

    Tuesday, November 19, 2019 3:54 PM

All replies

  • Hello jamesturpin888

    As you have mentioned you have a azure AD tenant and users from both the domains are getting synced to the Cloud. Everyone uses windows 10 devices.Since you have two on-prem domains without any trust , Users from one domain can only access on-prem resources within the same domain . 

    When you say Azure AD joined devices , do you mean devices which are directly joined to Azure AD only and their behavior while accessing on-premise servers for authentication ? Since the Devices are joined directly to Azure AD and are not hybrid-joined , I believe they are not joined to on-premise domain. The output of dsregcmd /status will give you more information on the type of join. 

    C:\Users>dsregcmd /status
    
    +----------------------------------------------------------------------+
    | Device State                                                         |
    +----------------------------------------------------------------------+
    
                 AzureAdJoined : YES
              EnterpriseJoined : NO
                  DomainJoined : NO
                    DomainName : 

    Coming to your question below . 

    When userb@companyb.com signs into Win10 Azure AD joined device, on their local network and have line of sight to dc.companyb.com and fileserver.companyb.com would they be able to access their on-prem resources seamlessly also?

    Short answer is yes it will be able to as long as you have password hash sync enabled and the user's password synced to the Azure AD . As per the Azure AD device join planning Guide the on-prem network share can be accessed by a user provided the user have connectivity to a local DC whenever they are within the organisation's network. However anything that requires machine authentication will not work because the Local Active directory does not have the machine account for the Azure AD joined device. 

    I have linked the answer to some online documentation which I would suggest to go through as it will provide you more clarifications . Hope this answers your query. In case the information in the post is useful, please do mark it as answer so that it is helpful for other users in the community. If you still have any further queries, please feel free to let us know and we will be happy to help.  

    Thank you. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Wednesday, November 20, 2019 2:37 PM
    Owner