SOLVED

AZURE AD Over ADFS

%3CLINGO-SUB%20id%3D%22lingo-sub-198967%22%20slang%3D%22en-US%22%3EAZURE%20AD%20Over%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-198967%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20running%20ADFS%20since%20we%20moved%20to%20O365.%26nbsp%3B%20Since%202016%20we%20have%20also%20had%20an%20Azure%20Tenant.%26nbsp%3B%20I%20have%20reached%20a%20point%20where%20I%20no%20longer%20want%20to%20maintain%20ADFS%20or%20create%20Claims%20for%20APPS%20to%20Auth%20against.%26nbsp%3B%20I%20would%20like%20to%20know%20if%20in%20fact%20AZure%20AD%20can%20do%20SSO%20in%20the%20same%20fashion%20that%20ADFS%20does%26nbsp%3B%3C%2FP%3E%3CP%3Ewhere%20my%20users%20login%20from%20Local%20LAN%20and%20access%20any%20o365%20resource%20enter%20an%20email%20and%20nothing%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIS%20this%20in%20possible%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-198967%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199358%22%20slang%3D%22en-US%22%3ERe%3A%20AZURE%20AD%20Over%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199358%22%20slang%3D%22en-US%22%3EWe%20currently%20are%20on%20E3%20and%20AADP%20P1%20but%20moving%20to%20P2%20for%20Identity%20protection.%3CBR%20%2F%3ECurrently%20Syncing%20Local%20AD%20to%20Azure%2C%20but%20the%20SAAS%20is%20my%20prime%20reason%20for%20moving.%20I%20dont%20want%20to%20be%20stuck%20with%20features%20on%20ADFS%20on%202016%20etc%20then%20having%20to%20upgrade%20the%20infrastructure%20to%20get%20additional%20features%20whatever%20those%20are.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199356%22%20slang%3D%22en-US%22%3ERe%3A%20AZURE%20AD%20Over%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199356%22%20slang%3D%22en-US%22%3E%3CP%3EWOW%20thx%20for%20the%20replies.%26nbsp%3B%20I%20Just%20had%20a%20meeting%20with%20my%20IT%20Director%20and%20was%20given%20the%20green%20light.%3C%2FP%3E%3CP%3ESeamless%20SSO%20is%20absolutely%20what%20we%20want%20as%20we%20have%20this%20with%20ADFS.%26nbsp%3B%20Thank%20you%20all%20for%20the%20confirmation%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFull%20Speed%20ahead!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199109%22%20slang%3D%22en-US%22%3ERe%3A%20AZURE%20AD%20Over%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199109%22%20slang%3D%22en-US%22%3E%3CP%3EVouching%20for%20this%20reply%2Fsolution%20as%20well%20-%20we%20went%20through%20the%20same%20transition%20and%20never%20looked%20back!%26nbsp%3B%20Azure%20AD%20(if%20you're%20premium%2C%20so%20E3%20or%20AADP%20Plan1)%20and%20do%20Seamless%20SSO%20with%20GPOs%2C%20Password%20Hash%20Sync%20and%20(pass%20through%20authentication)%20for%20synchronizing%20your%20AD%20to%20AzureAD.%20Works%20like%20a%20charm%2C%20and%20no%20more%20hassle%20of%20ADFS%20farm%20to%20manage!%20Also%20gets%20to%20centrally%20take%20advantage%20of%20AzureAD%20being%20the%20single%20control%20plane%20for%20identity%20on%20other%20non-microsoft%20products%20(basically%20all%20SaaS%20platforms%20that%20support%20SAML)%20and%20use%20any%20Azure%20AD%20conditional%20access%20rules%20to%20control%20access%20as%20well%2C%20such%20as%20MFA%20or%20requiring%20Intune%20enrollment%2C%20etc.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-199054%22%20slang%3D%22en-US%22%3ERe%3A%20AZURE%20AD%20Over%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-199054%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Christian%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%20it%20is%20possible%20wherein%20you%20can%20remove%20ADFS%20and%20instead%20use%20passthrough%20authentication%20or%20password%20sync.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20with%20these%20feature%20you%20can%20also%20enable%20seamless%20SSO%2C%20where%20the%20user%20experience%20will%20not%20be%20different%20as%20compared%20to%20that%20of%20ADFS.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20Doc%20that%20you%20can%20refer%20%3A-%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-sso%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20did%20watched%20I%20video%20long%20time%20back%20where%20there%20was%20a%20brief%20explanation%20of%20pass-through%20seamless%20SSO%20works%20under%20the%20hood.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DkRPExiS4EwI%26amp%3Bt%3D28s%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DkRPExiS4EwI%26amp%3Bt%3D28s%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I have been running ADFS since we moved to O365.  Since 2016 we have also had an Azure Tenant.  I have reached a point where I no longer want to maintain ADFS or create Claims for APPS to Auth against.  I would like to know if in fact AZure AD can do SSO in the same fashion that ADFS does 

where my users login from Local LAN and access any o365 resource enter an email and nothing else.

 

IS this in possible>

 

 

 

 

4 Replies
Solution

Hello Christian, 

 

Yes it is possible wherein you can remove ADFS and instead use passthrough authentication or password sync.

 

Now with these feature you can also enable seamless SSO, where the user experience will not be different as compared to that of ADFS. 

 

Microsoft Doc that you can refer :- 

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

 

But I did watched I video long time back where there was a brief explanation of pass-through seamless SSO works under the hood.

 

https://www.youtube.com/watch?v=kRPExiS4EwI&t=28s

 

 

Regards,

Rishabh

This video is for the understanding of Pass through authentication with seamless SSO. Please click on the below mentioned link to check more details as per Microsoft. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso-how-it-works Also do check the ...

Vouching for this reply/solution as well - we went through the same transition and never looked back!  Azure AD (if you're premium, so E3 or AADP Plan1) and do Seamless SSO with GPOs, Password Hash Sync and (pass through authentication) for synchronizing your AD to AzureAD. Works like a charm, and no more hassle of ADFS farm to manage! Also gets to centrally take advantage of AzureAD being the single control plane for identity on other non-microsoft products (basically all SaaS platforms that support SAML) and use any Azure AD conditional access rules to control access as well, such as MFA or requiring Intune enrollment, etc.  

WOW thx for the replies.  I Just had a meeting with my IT Director and was given the green light.

Seamless SSO is absolutely what we want as we have this with ADFS.  Thank you all for the confirmation,

 

Full Speed ahead!

We currently are on E3 and AADP P1 but moving to P2 for Identity protection.
Currently Syncing Local AD to Azure, but the SAAS is my prime reason for moving. I dont want to be stuck with features on ADFS on 2016 etc then having to upgrade the infrastructure to get additional features whatever those are.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies