If you join a device to Azure AD, then you get SSO to cloud resources protected by Azure AD. If you are using a Hybrid User (Synchronized from your on-premise Domain), you get an additional hidden gimmick. In general, it allows a lot of use cases where a company would like move to their authentication endpoints to cloud only, but still has a few on-premise resources.
As you can see my device is only joined to Azure AD and not joined to the local domain.
If I also check my Kerberos ticket by executing “klist”, I see that I have no Kerberos ticket as expected.
But if I’m inside my company network and access a network share….
I get access without an authentication prompt and received a Kerberos ticket:
Additionally, this works also for printers and webservers when adding the website to the intranet zone:
And even better for NTLM resources:
What happens here?
As when you are working in a workgroup, Windows can access other machines when there the same user with the same password exists. The clue is, that after you log in, Windows takes your entered password and stores its LM and NT hashes in kernel memory, which is the same hash as Active Directory is using. Additionally, your username is the same like in the local Active Directory. So, when the file server request authentication (Kerberos) the request can be signed by the local hash and the Key Distribution Centre (KDC) will then be able to return a Kerberos ticket.
Things to think about
With the above shown behavior, we should think about if a Hybrid Azure AD Join with Intune is required at all? In my opinion, the only benefit is at the moment only the GPO’s which you get by using a AzureAD Hybrid Join. If you see other benefits, please comment the blog or tweet @ThomasKurth_CH.