Forum Discussion

ChuaAugustine's avatar
ChuaAugustine
Copper Contributor
Mar 23, 2018

Azure Active Directory and ADFS

We had recently upgrade to M365 E3 with Azure AD Premium 1.  We currently had ADFS configured (hybrid mode). We intended to have a back-up authentication in situation where if the AD on premise is down, the user should be able to get authenticated automatically by Azure AD. 

 

How shall i go about that? How can configure that if the AD on-prem is down, the authentication will be automatically authenticated by Azure AD? I understand that with ADFS the authentication is relying on the AD on premise. I also know about the AD Connect pass-through but that is provided if the AD on premise is still running and ADFS is down. What about situation where there is no access to the AD on premise? 

 

Please advice. 

  • VasilMichev's avatar
    VasilMichev
    Mar 27, 2018

    No, you cant, as Azure AD is NOT any sort of replacement for "traditional" AD. You cannot "join" servers to it. You can however spin up Azure VM in the cloud and extend your on-premises AD with a DC running in Azure, and deploy AD FS as well. Take a look at the guidance here to get started: https://msdn.microsoft.com/library/azure/jj156090.aspx

  • There is no automatic fallback option, neither with AD FS or PTA. First of all, you should be deploying them in HA configuration, at least 2 machines and preferably in different datacenters, at a minimum. Some people choose to have one of the AD FS farm nodes in Azure VM.

     

    If all AD FS nodes are down, you have to perform manual actions to change the authentication method. Same goes for PTA. Having password sync configured as backup (https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx#Temporarily_Switching_from_Single_Sign-On_to_Synchronizated_Passwords_for_Sign-In) is a way to make the process faster/easier, but it's not an automatic failover solution.

    • ChuaAugustine's avatar
      ChuaAugustine
      Copper Contributor

      I relook into your reply, if I have Azure Active Directory already setup on the Cloud and is sync via the Azure Active Directory connect (AAD Connect), can I just install an instance of AD FS on the Azure cloud and get the user to be authenticated via AD FS on Azure and validated by Azure Active Directory?  Does it still require the on premise Active Directory then?

       

       

       

       

       

       

      • VasilMichev's avatar
        VasilMichev
        MVP

        No, you cant, as Azure AD is NOT any sort of replacement for "traditional" AD. You cannot "join" servers to it. You can however spin up Azure VM in the cloud and extend your on-premises AD with a DC running in Azure, and deploy AD FS as well. Take a look at the guidance here to get started: https://msdn.microsoft.com/library/azure/jj156090.aspx

  • ChuaAugustine's avatar
    ChuaAugustine
    Copper Contributor
    Thank you again, Vasil for the reply. Most of our users email is residing on cloud (O365 Exchange online). Am i correct to say that i do not require AD FS to connect to my mail on the cloud as it can be authenticated by the Azure AD using the same login ID and password since I have configured the Azure AD Connect when i access them remotely whereby for users connected on the on-premise network will require AD FS to access to the SaaS application on the cloud?
    • VasilMichev's avatar
      VasilMichev
      MVP

      AD FS is not a requirement, it's just one of the available methods to configure in regards to authentication. AAD Connect with password sync will also allow you to use the same set of credentials, so will PTA/SSO. In general, unless you have some specific requirements, AD FS is an overkill. Especially for small organizations.

Resources