locked
question about AAD joined computer user login authentication RRS feed

  • Question

  • hello,

    we sync our on-premise directory to AD and enabled ADFS. and the password hash is not sync to AAD.

    in this  case, we found something interesting, we joined a windows 10 to AAD. and the user able to login this AAD joine computer via their domain credential.

    and if they change the password on on-premise AD, they can use the new password to login the computer. 

    but as I know, AAD dont has the password hash sync, and during the windows 10 login, there not ADFS login page show up, 

    how AAD know the password, how the authentication work?

    thanks

    Monday, August 19, 2019 6:27 AM

Answers

  • i got the answer by Azure AD team.

    1. User enters credential in windows logon UI
    2. Credential passed to cloud ad plug-in for authentication: plug-in knows Azure AD tenant and ADFS server
    3. ADFS uses local AD to validate the credentials, and sends back a SAML token to Azure AD
    4. Azure AD will authenticate the user with verifying the SAML token obtained from AD FS. After authentication Azure AD will build a PRT with both user and device claims and will return it to Windows.

    • Marked as answer by Jerry So Monday, August 26, 2019 7:44 AM
    Monday, August 26, 2019 7:44 AM

All replies

  • Hi,

    When you choose this authentication method, Azure AD hands off the authentication process to the on-premises Active Directory Federation Services (AD FS) to validate the user’s password.

    https://docs.microsoft.com/en-us/microsoft-365/education/deploy/aad-connect-and-adfs#targetText=AAD%20Connect%20with%20Passthrough%20Authentication&targetText=Azure%20Active%20Directory%20(Azure%20AD,applications%20using%20the%20same%20passwords.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. My blog: http://cloudskillz.wordpress.com/

    Monday, August 19, 2019 11:11 AM
  • Well, actually Azure AD does support Password Hash Synchronization. To know more about how to implement the same, you can check this document.

    As for the devices joined to Azure AD and the Password change of the users - If a password is changed outside the corporate network (for example, by using Azure AD SSPR), then the user sign in with the new password will fail. For hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. When a device does not have line of sight to the domain controller, it is unable to validate the new password. So, user needs to establish connection with the domain controller (either via VPN or being in the corporate network) before they're able to sign in to the device with their new password. Otherwise, they can only sign in with their old password because of cached sign in capability in Windows. However, the old password is invalidated by Azure AD during token requests and hence, prevents single sign-on and fails any device-based Conditional Access policies.

    ----------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
     

    Monday, August 19, 2019 11:37 AM
  • i got the answer by Azure AD team.

    1. User enters credential in windows logon UI
    2. Credential passed to cloud ad plug-in for authentication: plug-in knows Azure AD tenant and ADFS server
    3. ADFS uses local AD to validate the credentials, and sends back a SAML token to Azure AD
    4. Azure AD will authenticate the user with verifying the SAML token obtained from AD FS. After authentication Azure AD will build a PRT with both user and device claims and will return it to Windows.

    • Marked as answer by Jerry So Monday, August 26, 2019 7:44 AM
    Monday, August 26, 2019 7:44 AM