Home

Moving authenication from ADFS to Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-37561%22%20slang%3D%22en-US%22%3EMoving%20authenication%20from%20ADFS%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-37561%22%20slang%3D%22en-US%22%3E%3CP%3ECurrently%20we%20have%20hybrid%20exchange%20(exchange%202010)%2C%20skype%20for%20business%20(lync%202013)%2C%20Azure%20AD%20Connect%20w%2F%20password%20sync%2C%20and%20ADFS%20V2.1%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20an%20user%20experience%20if%20the%20user%20is%20off%20prem%2C%20not%20on%20VPN%20when%20they%20hit%20a%20o365%20webpage%20it%20asks%20for%20their%20UPN%2C%20then%20redirects%20to%20the%20ADFS%20proxy%20site%20which%20they%20must%20log%20onto%2C%20then%20they%20can%20access%20o365%20resources.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20understanding%20is%20if%20we%20used%20Azure%20AD%20with%20password%20sync%2C%20the%20first%20o365%20page%20they%20hit%20they%20would%20enter%20both%20UPN%20and%20password%20then%20go%20directly%20to%20the%20o365%20resource%20cutting%20down%20on%20a%20perserved%20double%20step.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20all%20correct%2C%20what%20is%20the%20down%20side%20of%20using%20Azure%20AD%20for%20authenication%3F%20Any%20issues%20with%20the%20hybrid%20configs%3F%20Can%20we%20still%20get%20'pass-through'%20when%20on%20prem%20and%20connected%20to%20the%20domain%20controllers%20from%20a%20workstation%3F%20Does%20it%20require%20the%20paid%20version%20of%20Azure%20AD%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2Cjb%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-37636%22%20slang%3D%22en-US%22%3ERe%3A%20Moving%20authenication%20from%20ADFS%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-37636%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F7831%22%20target%3D%22_blank%22%3E%40Jason%20Benway%3C%2FA%3E%26nbsp%3BAlso%20i%20have%20tried%20this%20with%20my%20already%20deployed%20WIndows%2010%20domain%20joined%20machines%20-%20Add%20them%20to%20Azure%20AD%20for%20seamless%20authentication%20for%20on%20prem%20and%20cloud%20resources%20with%20SSO.%20When%20I%20join%20my%20Win%2010%20machine%20to%20Azure%20AD%20accessing%20any%20O365%20does%20not%20even%20require%20any%20username%20or%20password%20-%20logs%20you%20in%20straight.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azureadjoin-devices-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azureadjoin-devices-group-policy%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20only%20works%20with%20Windows%2010%20though.%20PTA%20might%20be%20your%20best%20choice%20for%20seemless%20authentication%20in%20your%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-37592%22%20slang%3D%22en-US%22%3ERe%3A%20Moving%20authenication%20from%20ADFS%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-37592%22%20slang%3D%22en-US%22%3E%3CP%3EBiggest%20downside%20is%20you%20dont%20get%20SSO.%20And%20you%20have%20less%20control%20over%20the%20auth%20process.%20But%20with%20PTA%20nearing%20GA%2C%20you%20might%20as%20well%20consider%20switching%20to%20it%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2016%2F12%2F07%2Fintroducing-azuread-pass-through-authentication-and-seamless-single-sign-on%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2016%2F12%2F07%2Fintroducing-azuread-pass-through-authentication-and-seamless-single-sign-on%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jason Benway
Contributor

Currently we have hybrid exchange (exchange 2010), skype for business (lync 2013), Azure AD Connect w/ password sync, and ADFS V2.1

 

From an user experience if the user is off prem, not on VPN when they hit a o365 webpage it asks for their UPN, then redirects to the ADFS proxy site which they must log onto, then they can access o365 resources.

 

My understanding is if we used Azure AD with password sync, the first o365 page they hit they would enter both UPN and password then go directly to the o365 resource cutting down on a perserved double step.

 

If this is all correct, what is the down side of using Azure AD for authenication? Any issues with the hybrid configs? Can we still get 'pass-through' when on prem and connected to the domain controllers from a workstation? Does it require the paid version of Azure AD?

 

Thanks,jb

2 Replies

Biggest downside is you dont get SSO. And you have less control over the auth process. But with PTA nearing GA, you might as well consider switching to it: https://blogs.technet.microsoft.com/enterprisemobility/2016/12/07/introducing-azuread-pass-through-a...

@Jason Benway Also i have tried this with my already deployed WIndows 10 domain joined machines - Add them to Azure AD for seamless authentication for on prem and cloud resources with SSO. When I join my Win 10 machine to Azure AD accessing any O365 does not even require any username or password - logs you in straight.

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-devices-group-p...

 

This only works with Windows 10 though. PTA might be your best choice for seemless authentication in your scenario.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies