I don't understand how to handle this case:
A laptop is joined to Azure-AD and the user logs in with a PIN-code (for example). This part works fine.
Now the user needs to work with the on-premise domain too. The on-premise AD is synced with Azure-AD using AAD Connect Provisioning Agent Wizard. The NPS Exension for Azure AD is installed so the on-premise Domain Controller can access Azure to authenticate. The Azure users have a Azure AD Premium license.
Now, when the user logs in, the laptop is not logged in to the on-premise AD, right? There are no policies applied, no loginscripts, etc. A LOB-application that connects to a on-premise SQL-server might not accept this user with integraded Windows-authentication because of that.
What is a solution then? Can I join the laptop to the on-premise domain at the same time? If so, how does login work then (what account)?
I know that I can make this work with a RDS-server. Then, if a users logs in, he or she uses his username and password (which is the same in AAD and AD) and NPS Exension for Azure AD is used to authenticate. But what if you don't use RDS and just need to login on the on-premise domain? For example: to use a fileshare or SQL-server that requires Windows-authentication?
Best Answer
You cannot create users in Azure AD and sync them (back) to on-premises AD. However, you can setup your on-premises AD objects with the same UPN and SMTP addresses that are set in Azure AD. Then you can use Azure AD connect to use SMTP matching and synchronise your AD to Azure AD. I think this will grant them the required permissons on shares that need windows authentication. Test on one user before.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant