Best authentication method to use with hybrid AD with on-prem domain joined and Azure joined devices

Comes here often

Best authentication method to use with hybrid AD with on-prem domain joined and Azure joined devices

HI, Looking for some advice on the best authentication method to use with Meraki for our environment. We are in Hybrid mode with O365 via ADFS, and shortly all mailboxes and data will be migrated to the cloud to allow staff to work from home etc. Users currently have on-prem AD joined laptops and PC's, but going forwards we are replacing up to 150 laptops and the current plan is to Azure AD join them instead of directly to the on-prem domain, and manage with Intune. We installed a new Meraki wireless network and configured a local NPS server as per Meraki instructions "Configuring RADIUS Authentication with WPA2-Enterprise" using Domain/Users Group, and I can connect to the corporate SSID using my AD credentials. However, we would like to lock down access to just corporate machines but the Azure AD joined machines do not show in the on-prem AD so cannot just use the domain/computers group. If we go down the local on-prem CA server certificate route , as I understand it we would have to first add this as a trusted authority on all the Azure joined laptops. I am leaning towards using a trusted CA authority cert from Go-Daddy - is this the best option for my scenario?


I should also added to the question that not everything will be in O365. We will still have some application servers on the local LAN which can also be accessed remotely via Citrix. The idea is if they come in to the office they would auto-connect to the corporate WiFi and be able to access the application servers directly.

4 Replies 4
Kind of a big deal
Kind of a big deal

At this point in time, I don't think there is any "best" method.


I have been curious about the ADSync "Device Write Back" feature, which creates Azure AD accounts in the local AD.  Perhaps you could try it out and let us know how it goes.


The problem with OAUTH2 (which Office 365 uses) is that you can not use it with PEAP/MSCHAPv2 authentication.  You can use it with third party products) with EAP-TTLS - but lots of devices don't support EAP-TTLS yes.  After that you are back to using splash page authentication.

Here to help

Do you have intune licenses?  


If so you can configure intune to auto enroll for Azure AD joined machines.  Then you can configure the certificate connector in intune to connect on prem, you then have your on prem certificate server issues certs via Intune policy (you can also trust your on prem CA with intune - no need to pay for a cert if you have control of the devices), you can then use certs for your Radius Auth.


The client does not need to be Hybrid joined or exist in local AD (although the user needs to of course), or even connected to the LAN at the time of cert issue.

Comes here often

Apologies to all for the late reply - been away.
We do intend purchasing intune licences for all the new laptops and would prefer to use intune to manage as once registered the devices would only very occasionally be used with the on-prem LAN as user will all be working remotely/agile. Timescales are tight so I was going to just on-prem AD join them to allow the use Domain/Machines group and try and manage as much as I can via Intune, but your suggestion is a possibility thanks.
Getting noticed

I'm in the same boat currently with auto pilot. We've resorted to the AD splash screen, device policy, and FW rules to allow the devices to join. This isn't optimal and several vendors helping us with deployment have no real answers. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.