Mar 23 2018
- last edited on
Jul 27 2020
We had recently upgrade to M365 E3 with Azure AD Premium 1. We currently had ADFS configured (hybrid mode). We intended to have a back-up authentication in situation where if the AD on premise is down, the user should be able to get authenticated automatically by Azure AD.
How shall i go about that? How can configure that if the AD on-prem is down, the authentication will be automatically authenticated by Azure AD? I understand that with ADFS the authentication is relying on the AD on premise. I also know about the AD Connect pass-through but that is provided if the AD on premise is still running and ADFS is down. What about situation where there is no access to the AD on premise?
Mar 23 2018 11:39 AM
There is no automatic fallback option, neither with AD FS or PTA. First of all, you should be deploying them in HA configuration, at least 2 machines and preferably in different datacenters, at a minimum. Some people choose to have one of the AD FS farm nodes in Azure VM.
If all AD FS nodes are down, you have to perform manual actions to change the authentication method. Same goes for PTA. Having password sync configured as backup (https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-...) is a way to make the process faster/easier, but it's not an automatic failover solution.
Mar 27 2018 01:07 AM
I relook into your reply, if I have Azure Active Directory already setup on the Cloud and is sync via the Azure Active Directory connect (AAD Connect), can I just install an instance of AD FS on the Azure cloud and get the user to be authenticated via AD FS on Azure and validated by Azure Active Directory? Does it still require the on premise Active Directory then?
Mar 27 2018 10:37 AMSolution
No, you cant, as Azure AD is NOT any sort of replacement for "traditional" AD. You cannot "join" servers to it. You can however spin up Azure VM in the cloud and extend your on-premises AD with a DC running in Azure, and deploy AD FS as well. Take a look at the guidance here to get started: https://msdn.microsoft.com/library/azure/jj156090.aspx
Mar 27 2018 01:41 PM
Mar 27 2018 11:35 PM
AD FS is not a requirement, it's just one of the available methods to configure in regards to authentication. AAD Connect with password sync will also allow you to use the same set of credentials, so will PTA/SSO. In general, unless you have some specific requirements, AD FS is an overkill. Especially for small organizations.