Azure AD joined devices // ADSystemInfo call cannot locate DC

Basiel Deckers 1 Reputation point
2019-11-25T09:47:16.79+00:00

Hi,

We deploy our clients as Azure AD joined devices. Hybrid Azure AD joined devices would solve the problem I will describe below. However, this scenario would have downsides as I have been told. Does anyone have some more info on what one would loose when choosing the Hybrid scenario?

The problem is that we have a certain software which does a IADsADSystemInfo::get_UserName() call when starting the application. It would retrieve the username this way and compare it on the backend with active directory thus allowing or blocking access to the application.
Because it's a Azure AD joined device this call does not work because it cannot locate the domain controller and thus fails in making this ADSystemInfo call.
What would be the preferred way to work around this problem? Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. MrAzureAD 81 Reputation points
    2019-11-25T15:13:52.863+00:00

    Hybrid joined devices are technically devices that are joined to Windows Server AD. So authentication of the device and the user will go to Windows Server AD.
    Hybrid join is added on top, so that Azure AD “knows” something about the device.
    On Azure AD joined devices, all interaction goes to Azure AD. Only if an application explicitely does Kerberos, a TGT is pulled.
    I would say Hybrid join quite a big step backward.
    Any chance to change that applications?

    Greetings,
    MrAzureAD

    0 comments No comments

  2. Basiel Deckers 1 Reputation point
    2019-11-25T16:08:28.01+00:00

    Unfortunately changing the application is not an option.

    So, you confirm that Azure AD joined devices can (and should) not be able to locate a domain controller?

    0 comments No comments

  3. trevorseward 11,711 Reputation points
    2019-11-25T21:55:35.977+00:00

    Azure AD isn't Active Directory Domain Services, therefor it does not contain information like DNs, site information, domain controllers, and so on.

    These are your two options:

    • Use Azure AD hybrid join where the client PC is both Active Directory and Azure AD joined.
    • Change the application to support Azure AD-only joined devices.
    0 comments No comments

  4. Basiel Deckers 1 Reputation point
    2019-11-27T16:56:35.853+00:00

    When I don't have Azure AD hybrid join enabled -and- I join that client to the domain it works. Does anyone see a problem with such setup for the time being?

    0 comments No comments

  5. Lukas Beran 176 Reputation points
    2019-11-30T11:38:42.923+00:00

    If you do Hybrid join, you are technically connected still to onprem AD, so everything should work the same way - your computer knows your onprem DCs. So if you go with hybrid join, your app should work as usual.

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.