Azure-docs: What about machines already joined to an on-premises Active Directory?

@jgwinner Thank you for your query. We will investigate and update this thread.

@jgwinner, The only other way to achieve this would be to get the machines Hybrid Azure AD joined. You can find the steps in the following article: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

Ok.

Then something is wrong ... NONE of the documentation about prompted KFM mentions the requirement to be Hybrid Azure AD joined.

Is this a hard requirement?

I would have thought that having SSO configured with AD to Azure AD synchronization setup and working, that there wouldn't be a need to join Azure AD. I mean, the idea with Azure AD is to give an SSO experience, not to drive GPO.

Seconded. I spent around 3 hours trying to get the silent configure to work before I found the bit about Azure or Hybrid being required.

On another thread I just had an MS support person say SSO was _not_ required. They then mentioned AD FS.

So now we need AD Federated Services in addition to AD Hybrid?

All of this has to be documented properly.

Does Microsoft not need to sell Windows Server anymore? I can advise my clients to return 50 user licenses?

You guys really, really need to test as a user would test, including creating a brand new O365 tenant, not just 'adding an account' during testing. The admin accounts get an "onmicrosoft.com" SMTP address that does lovely things to the SSO sync that messes up the KFM also.

On MS Communities, the just implied that Hybrid is required; this requires an additional subscription.

Is this really required to get the Prompted or Silent to work automatically with the user's credentials? This requires an expenditure so I'd think it really needs to be mentioned, and exactly what level of Azure Active Directory is required.

@jgwinner, I can understand that these features like Seamless SSO or Hybrid Azure AD join can get fairly confusing. Based on your query you shared with us, I see that you have PCs that are already joined to your On-Prem AD domain. Now to get the SSO experience, you can opt for one of the following features:

• Seamless Single SignOn
• Hybrid Azure AD join

Both of these features provide SSO, but the SSO experience is what differs and its because the way these get setup is different.

Having said that, I am sharing some more detailed information below, that I believe would help you understand these features and help you choose the one that suits best for your environment.

Seamless SSO: It helps in automatically signing in users, when they are accessing an Corporate App (Azure AD Registered Apps) on their corporate devices that are connected to the corporate network. On a broader note the SSO experience here is like the user only has to enter the username and no passwords are required as that is something that
Seamless SSO takes care of automatically for the Azure AD registered Apps. This feature provides the users an easy access to your cloud-based apps without the need of any separate on-premise components like ADFS.

Important points to note:
• Seamless SSO can be used with either Password Hash Sync or Pass-Through Auth methods of user sign-ins
• Seamless SSO doesn’t work with ADFS.
• Seamless SSO needs the user's device to be domain joined, but no Azure AD joined.
• In case you are using Windows 10, it is advisable to use Azure AD join feature.

You can read more on how the Seamless SSO works in detail here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-how-it-works

Azure AD joined devices: With the proliferation of devices of all shapes and sizes and the Bring Your Own Device (BYOD) concept, IT professionals are faced with two somewhat opposing goals:

• Allow end users to be productive wherever and whenever
• Protect the organization's assets
• To protect these assets, IT staff need to first manage the device identities. IT staff can build on the device identity with tools like Microsoft Intune to ensure standards for security and compliance are met. Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere through these devices.

This feature has three options available, to get a device in Azure AD:
Azure AD registered: Devices that are Azure AD registered are typically personally owned or mobile devices, and are signed into with a personal Microsoft account or another local account.
• Windows 10
• iOS
• Android
• MacOS

Azure AD joined: Devices that are Azure AD joined are owned by an organization, and are signed in to with an Azure AD account belonging to that organization. They exist only in the cloud.
• Windows 10

Hybrid Azure AD joined: Devices that are hybrid Azure AD joined are owned by an organization, and are signed in to with an Azure AD account belonging to that organization. They exist in the cloud and on-premises.
• Windows 7, 8.1, or 10
• Windows Server 2008 or newer

Hybrid Azure AD joined: If you already have an on-prem environment setup and that is operational with computers joined to your on-prem domain, and you also want to experience the benefits of Azure AD, Hybrid Azure AD join should be your option. These devices are joined both to your on-prem AD as well to Azure AD.
It provides SSO to both cloud and on-premises resources.

Use Azure AD hybrid joined devices if:

• You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
• You want to continue to use Group Policy to manage device configuration.
• You want to continue to use existing imaging solutions to deploy and configure devices.
• You must support down-level Windows 7 and 8.1 devices in addition to Windows 10

In case of Hybrid Azure AD join devices, there can be three different types of implementations:

1. Configure Hybrid Azure AD join manually
2. Configure Hybrid Azure AD join for Federated Domains
3. Configure Hybrid Azure AD join for Managed Domains

You can also refer to the following link to plan up you Hybrid Azure AD implementation: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

I totally agree, that this is a lot of information that I shared with you in this thread. But we are there to help you better, and hence once you go through this response, in case there are any more queries that comes up, please feel free to share the same with us so that we can help you with those queries and help you with the planning and implementation of these features.

Update: I was off topic slightly, I lost track of what pages I was getting updates on.

We are wandering from the process of AAD joining (this page) and OneDrive Known Folder Move. This page isn't to support OneDrive KFM; my mistake!

As I can tell you neither solution works with AD and SSO. The user manually has to log in, which means that users are NOT moving to the cloud, because they don't know to click on the icon and do a manual login.

@jgwinner, I did some research and I stumbled upon this URL :https://docs.microsoft.com/en-us/onedrive/use-silent-account-configuration.
This article speaks about Silent Sync Account configuration for One Drive. If you enable this feature, OneDrive.exe will attempt to sign in to the work or school account on the device that's joined to Azure AD. This feature requires the machines to be Hybrid Azure AD joined in case the machines are already joined to on-Prem domain.

I hope the steps mentioned in the article listed above would surely help you find answers to your queries. In case the steps in that document doesnt help you, please do create another thread on that document or create a support ticket so that they can thoroughly analyze your setup and help you fix the issue.

@souravmishra-msft Correct. The question is, what level of AAD is required? I need this to plan out our deployment.

Also, sorry about my last reply, I'd lost track of which MS ticket I had open. I went back to the original page for this ticket, and yes, this wasn't about OneDrive. My mistake. I was sent here BY OneDrive to 'help setup AAD'. I know how to do that, the question still is, why do I need AAD when they are AD, and what level of AAD is needed. Also, I would want to join AAD via GPO but I assume that's covered somewhere else. (A callout on this page to that process might be nice).

Everyone in MS hands this off like a hot potato. OneDrive support told us to open a community ticket. Someone else asked the same question and the Community ticket aged out a year ago.

Maybe no one knows? Seems like a simple things in the docs, if a service is required, to be able to identify what level of service is required.

But, I'll go follow the process and open a ticket on that page, as you're right, this is the wrong place.

I'm really sorry for the rant!

@jgwinner, I totally understand your frustration and in times when you are planning up a huge deployment for hundreds of users.

I would like to connect with you off this forum and gather all the information from you, if you dont mind. Can you please share your contact number and just share the reference of this github issue in that email and send it to [email protected].
Do share your availability and a preferred time (also mention the timezone you are in), so that based on that I would like to schedule up a call Teams call with you and lets have a discussion on this.
I believe that call might help both of us in clear a lot more for me and get me a better understanding for One Drive deployment in your environment, so that we can guide you better.

In the mean time I am also looking into your last response and let me try to share some updates on that too.

@jgwinner, Trust you are doing great today. I wanted to touch base with you to check if you got a chance to share the details as requested in the previous response to the [email protected] group.
Do send an email there with you email id so that we can send out Teams meeting invite so that we can have a discussion on this issue and help you with your queries to sort them out on that call.

Just sent it off! Thank you for helping!

Working offline with customer. Closing this thread.