SOLVED
Home

Azure Active Directory and ADFS

%3CLINGO-SUB%20id%3D%22lingo-sub-175322%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175322%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20had%20recently%20upgrade%20to%20M365%20E3%20with%20Azure%20AD%20Premium%201.%26nbsp%3B%20We%20currently%20had%20ADFS%20configured%20(hybrid%20mode).%20We%20intended%20to%20have%20a%20back-up%20authentication%20in%20situation%20where%20if%20the%20AD%20on%20premise%20is%20down%2C%20the%20user%20should%20be%20able%20to%20get%20authenticated%20automatically%20by%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20shall%20i%20go%20about%20that%3F%20How%20can%20configure%20that%20if%20the%20AD%20on-prem%20is%20down%2C%20the%20authentication%20will%20be%20automatically%20authenticated%20by%20Azure%20AD%3F%26nbsp%3BI%20understand%20that%20with%20ADFS%20the%20authentication%20is%20relying%20on%20the%20AD%20on%20premise.%20I%20also%20know%20about%20the%20AD%20Connect%20pass-through%20but%20that%20is%20provided%20if%20the%20AD%20on%20premise%20is%20still%20running%20and%20ADFS%20is%20down.%20What%20about%20situation%20where%20there%20is%20no%20access%20to%20the%20AD%20on%20premise%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20advice.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-175322%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176791%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Azure%20Active%20Directory%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176791%22%20slang%3D%22en-US%22%3E%3CP%3EAD%20FS%20is%20not%20a%20requirement%2C%20it's%20just%20one%20of%20the%20available%20methods%20to%20configure%20in%20regards%20to%20authentication.%20AAD%20Connect%20with%20password%20sync%20will%20also%20allow%20you%20to%20use%20the%20same%20set%20of%20credentials%2C%20so%20will%20PTA%2FSSO.%20In%20general%2C%20unless%20you%20have%20some%20specific%20requirements%2C%20AD%20FS%20is%20an%20overkill.%20Especially%20for%20small%20organizations.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176668%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Active%20Directory%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176668%22%20slang%3D%22en-US%22%3EThank%20you%20again%2C%20Vasil%20for%20the%20reply.%20Most%20of%20our%20users%20email%20is%20residing%20on%20cloud%20(O365%20Exchange%20online).%20Am%20i%20correct%20to%20say%20that%20i%20do%20not%20require%20AD%20FS%20to%20connect%20to%20my%20mail%20on%20the%20cloud%20as%20it%20can%20be%20authenticated%20by%20the%20Azure%20AD%20using%20the%20same%20login%20ID%20and%20password%20since%20I%20have%20configured%20the%20Azure%20AD%20Connect%20when%20i%20access%20them%20remotely%20whereby%20for%20users%20connected%20on%20the%20on-premise%20network%20will%20require%20AD%20FS%20to%20access%20to%20the%20SaaS%20application%20on%20the%20cloud%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176572%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176572%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20you%20cant%2C%20as%20Azure%20AD%20is%20NOT%20any%20sort%20of%20replacement%20for%20%22traditional%22%20AD.%20You%20cannot%20%22join%22%20servers%20to%20it.%20You%20can%20however%20spin%20up%20Azure%20VM%20in%20the%20cloud%20and%20extend%20your%20on-premises%20AD%20with%20a%20DC%20running%20in%20Azure%2C%20and%20deploy%20AD%20FS%20as%20well.%20Take%20a%20look%20at%20the%20guidance%20here%20to%20get%20started%3A%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Flibrary%2Fazure%2Fjj156090.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsdn.microsoft.com%2Flibrary%2Fazure%2Fjj156090.aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176268%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176268%22%20slang%3D%22en-US%22%3E%3CP%3EI%20relook%20into%20your%20reply%2C%20if%20I%20have%20Azure%20Active%20Directory%20already%20setup%20on%20the%20Cloud%20and%20is%20sync%20via%20the%20Azure%20Active%20Directory%20connect%20(AAD%20Connect)%2C%20can%20I%20just%20install%20an%20instance%20of%20AD%20FS%20on%20the%20Azure%20cloud%20and%20get%20the%20user%20to%20be%20authenticated%20via%20AD%20FS%20on%20Azure%20and%20validated%20by%20Azure%20Active%20Directory%3F%26nbsp%3B%20Does%20it%20still%20require%20the%20on%20premise%20Active%20Directory%20then%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175568%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175568%22%20slang%3D%22en-US%22%3EThank%20you%20Vasil%20Michev%20for%20the%20clarification.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175329%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20and%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175329%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20automatic%20fallback%20option%2C%20neither%20with%20AD%20FS%20or%20PTA.%20First%20of%20all%2C%20you%20should%20be%20deploying%20them%20in%20HA%20configuration%2C%20at%20least%202%20machines%20and%20preferably%20in%20different%20datacenters%2C%20at%20a%20minimum.%20Some%20people%20choose%20to%20have%20one%20of%20the%20AD%20FS%20farm%20nodes%20in%20Azure%20VM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20all%20AD%20FS%20nodes%20are%20down%2C%20you%20have%20to%20perform%20manual%20actions%20to%20change%20the%20authentication%20method.%20Same%20goes%20for%20PTA.%20Having%20password%20sync%20configured%20as%20backup%20(%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%23Temporarily_Switching_from_Single_Sign-On_to_Synchronizated_Passwords_for_Sign-In%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%23Temporarily_Switching_from_Single_Sign-On_to_Synchronizated_Passwords_for_Sign-In%3C%2FA%3E)%20is%20a%20way%20to%20make%20the%20process%20faster%2Feasier%2C%20but%20it's%20not%20an%20automatic%20failover%20solution.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Augustine Chua
Occasional Contributor

We had recently upgrade to M365 E3 with Azure AD Premium 1.  We currently had ADFS configured (hybrid mode). We intended to have a back-up authentication in situation where if the AD on premise is down, the user should be able to get authenticated automatically by Azure AD. 

 

How shall i go about that? How can configure that if the AD on-prem is down, the authentication will be automatically authenticated by Azure AD? I understand that with ADFS the authentication is relying on the AD on premise. I also know about the AD Connect pass-through but that is provided if the AD on premise is still running and ADFS is down. What about situation where there is no access to the AD on premise? 

 

Please advice. 

6 Replies

There is no automatic fallback option, neither with AD FS or PTA. First of all, you should be deploying them in HA configuration, at least 2 machines and preferably in different datacenters, at a minimum. Some people choose to have one of the AD FS farm nodes in Azure VM.

 

If all AD FS nodes are down, you have to perform manual actions to change the authentication method. Same goes for PTA. Having password sync configured as backup (https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-...) is a way to make the process faster/easier, but it's not an automatic failover solution.

Thank you Vasil Michev for the clarification.

I relook into your reply, if I have Azure Active Directory already setup on the Cloud and is sync via the Azure Active Directory connect (AAD Connect), can I just install an instance of AD FS on the Azure cloud and get the user to be authenticated via AD FS on Azure and validated by Azure Active Directory?  Does it still require the on premise Active Directory then?

 

 

 

 

 

 

Solution

No, you cant, as Azure AD is NOT any sort of replacement for "traditional" AD. You cannot "join" servers to it. You can however spin up Azure VM in the cloud and extend your on-premises AD with a DC running in Azure, and deploy AD FS as well. Take a look at the guidance here to get started: https://msdn.microsoft.com/library/azure/jj156090.aspx

Thank you again, Vasil for the reply. Most of our users email is residing on cloud (O365 Exchange online). Am i correct to say that i do not require AD FS to connect to my mail on the cloud as it can be authenticated by the Azure AD using the same login ID and password since I have configured the Azure AD Connect when i access them remotely whereby for users connected on the on-premise network will require AD FS to access to the SaaS application on the cloud?

AD FS is not a requirement, it's just one of the available methods to configure in regards to authentication. AAD Connect with password sync will also allow you to use the same set of credentials, so will PTA/SSO. In general, unless you have some specific requirements, AD FS is an overkill. Especially for small organizations.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies