We use O365, and for the last year have a local AD server that is sync'ed to AAD via Azure AD Connect. All works as it should.
We're doing a trial of AAD Premium, and decided to try joining local machines to Azure AAD instead of to our local domain controller.
Much to my shock and dismay, when an existing domain user joins a machine to AAD and logs in (using his domain credentials, which are being properly replicated by AD connect)... he's getting a different assigned a different SID, than if that same user domain joins his machine and logs in using his same domain credentials.
THAT doesn't work very well, when we have files living on a local file server that list him as owner via his *other* (original) SID.
To be clear, this user is "MyDomain\MyName" -- He has a password. When he domain joins his machine and logs in using username and password, he gets one SID associated with his account. When he joins his machine to AAD and logs in with the same credentials, he gets a different SID associated with his account.
The authorities for the SIDs are different: His domain-joined SID is the local domain authority, and his AAD-joined SID is AAD.
I'm at a loss to explain this... and, if there's nothing we can do to "fix" this, this could prevent us from moving from migrating our domain completely to AAD (and eventually decomissioning on on-prem DC).
Help?? Please??
Peter
Peter OSR @OSRDrivers -- http://www.osr.com Designers, implementers, and teachers of Windows drivers for more than 20 years