SSMS and Active Directory Authentication doesn't work with Azure SQL and non-Azure SQL

Question

So we have Azure AD synced with our on-premise domain. We have an Azure SQL Server configured with the active directory admin. We also have a non Azure SQL server running on a virtual machine in Azure that is domain joined to this same domain. The following are the results of using the various authentication mechanisms offered by SQL Management Studio (SSMS). Can someone explain why the failures occur with the various options that should be supported?

Facts about environment:

• Passthrough authentication is the sign-in method configured on AD Connect
• Password hash sync is also enabled so password hashes are stored in Azure AD
• Azure SQL is configured with Active Directory admin
• Latest version of SSMS was downloaded when performing these test
• On premise account was used to test all scenarios

Domain joined client connecting to Azure SQL from SSMS

• Active Directory Password (PASS)
• Active Directory Universal (PASS)
• Windows Integrated (FAIL - not supported by Azure SQL)
• Active Directory Integrated (FAIL – see error below)

Failure when client is standard domain joined client

Failure when client is Azure domain joined client

Domain joined client connecting to non-Azure SQL hosted on same domain

• Active Directory Integrated (PASS)
• Windows Integrated (PASS)
• Active Directory Password (FAIL – Login failed for user '')
• Active Directory Universal (FAIL – Login failed for user '')

Answer 1

This issue may be related with the AD Syncing options. Verify in your environment that AD is not syncing passwords into the tenant. This prevents AD Integration Authentication and AD Password Authentication. The only authentication that works on these cases is AD Universal Authentication, as your test shows.

Answer 2

It looks to me that his is an ADAL problem (WSTrust) related to network configuration. Please create a support case and work with the support team to solve this problem