Dec 29 2020 11:09 AM
Dec 29 2020 11:09 AM
Couple of simple (I hope) questions:
- is it possible to authenticate users through on-premise ADFS server in Azure without actually importing users to the Azure AD? Or the user always has to be imported because only then he gets Azure Id and can use Azure resources?
- is there any option except Azure AD Connect to establish connection between ADFS server and Azure AD (so ADFS users can be authenticated)? The thing is that I don't have access to physical ADFS server, so I cannot install Azure AD Connect there.
Regards and thanks!
Dec 29 2020 11:15 AM
Hi, you will need Azure AD Connect in order for this to work and have the users visible in Azure AD. Check out - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatis
The AADC server does not have to be on the same server as AD FS though.
Dec 29 2020 12:20 PM
@PeterRising so if I got that right - I may install and run Azure AD Connect on different machine and use it only for account synchronization, correct? This sounds promising.
About user synchronization - I was kind of hoping it won't be needed to import all these users (it's around 5k in this particular case) to AAD, I'm worried a bit about that (it could be a nightmare in terms of management).
Thanks for quick answer!
Dec 29 2020 01:07 PM
Yep, that's right. AADC can be run on a different machine. You'd need to run a custom installation and choose the option of Federation with AD FS as shown below.
Question though - do you really need AD FS for O365? Could you not go for Password Hash Sync or Pass through authentication instead?
Dec 29 2020 01:37 PM
The scenario here is that we have many users being in multiple external on-premises ADs. These on-premises ADs are gathered together in one master AD FS server and this is actually the only option from my point of view. The goal is to make it possible for these users to login to our App Service web app which we host in Azure. The requirement is to have SSO for these users, so they can reuse their domain accounts.