AzureAD Joined Device and Kerberos???

If you join a device to Azure AD, then you get SSO to cloud resources protected by Azure AD. If you are using a Hybrid User (Synchronized from your on-premise Domain), you get an additional hidden gimmick. In general, it allows a lot of use cases where a company would like move to their authentication endpoints to cloud only, but still has a few on-premise resources.

As you can see my device is only joined to Azure AD and not joined to the local domain.

If I also check my Kerberos ticket by executing “klist”, I see that I have no Kerberos ticket as expected.

But if I’m inside my company network and access a network share….

I get access without an authentication prompt and received a Kerberos ticket:

Additionally, this works also for printers and webservers when adding the website to the intranet zone:

And even better for NTLM resources:

What happens here?

As when you are working in a workgroup, Windows can access other machines when there the same user with the same password exists. The clue is, that after you log in, Windows takes your entered password and stores its LM and NT hashes in kernel memory, which is the same hash as Active Directory is using. Additionally, your username is the same like in the local Active Directory. So, when the file server request authentication (Kerberos) the request can be signed by the local hash and the Key Distribution Centre (KDC) will then be able to return a Kerberos ticket.

Things to think about

With the above shown behavior, we should think about if a Hybrid Azure AD Join with Intune is required at all? In my opinion, the only benefit is at the moment only the GPO’s which you get by using a AzureAD Hybrid Join. If you see other benefits, please comment the blog or tweet @ThomasKurth_CH.

Special thanks to @John_Craddock for the hints during the Identity MasterClass. I highly recommend his MasterClass for everybody which is working with Active Directory and Azure AD.

Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I’m a consultant, trainer and architect formodern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

Enterprise Adminstrator ExpertMCTCMCE
Thomas Kurth
Follow me