Forum Discussion

gwendal55's avatar
gwendal55
Copper Contributor
Feb 13, 2020

Suppression of SSO from the architecture

My client wants to remove SSO from its architecture, as well as ADFS. Without subscribing to the Azure AD Connect solution. If possible, he would like the maximum configuration to be possible from the Office 365 administration center. To do this, he would first like to make an impact study of the removal of SSO and ADFS. Can you assess the impact on current operations? What would be the risks of incidents? Alternatives in Office 365 configurations? What details of information should we collect and check before any change ?

  • CloudHal's avatar
    CloudHal
    Iron Contributor

    gwendal55 why would they want to make the user experience worse? Not a single user will like this change.

  • Mark Lewis's avatar
    Mark Lewis
    Brass Contributor

    gwendal55You can use Azure AD only, without using AD. It's entirely possible. But without AAD Connect (or AAD Cloud Provisioning), you would have to manually manage users in two separate directories. Users would potentially end up with two passwords to use.

     

    Is the goal to go cloud only for authentication or will you still required Active Directory?

    • gwendal55's avatar
      gwendal55
      Copper Contributor

      Mark Lewis 

      The architecture is with one-way synchronization. Any creation or modification must be done in the AD and it is synchronized afterwards in Office 365. Management is done from the AD. The customer wants to install a secure gateway to authenticate users with an HR number before they access Office 365. Suddenly all other solutions are excluded (Azure AD Connect, SSO, ADFS). Users will not have two passwords, but authentication with a password and an HR number. Regards, Gwendal IDOT.

      • Vikram V's avatar
        Vikram V
        Brass Contributor
        gwendal55 - you can get rid of ADFS and still keep SSO and authenticate on premise with Azure AD Connect. Search for Passthru Authentication.
        I am not clear on your point about Secure Gateway and authenticate via HR system. HR system can act as identity source, but you don't have to rip apart your whole Azure AD Connect infra for it. Depending on which HR system, you might be able to fit it right in. (Look for Azure AD identity inbound provisioning).

        Hope this helps.

        Vik

Resources