Suppression of SSO from the architecture

%3CLINGO-SUB%20id%3D%22lingo-sub-1171436%22%20slang%3D%22fr-FR%22%3ESuppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171436%22%20slang%3D%22fr-FR%22%3E%3CP%3EMy%20client%20wants%20to%20remove%20SSO%20from%20its%20architecture%2C%20as%20well%20as%20ADFS.%20Without%20subscribing%20to%20the%20Azure%20AD%20Connect%20solution.%20If%20possible%2C%20he%20would%20like%20the%20maximum%20configuration%20to%20be%20possible%20from%20the%20Office%20365%20administration%20center.%20To%20do%20this%2C%20he%20would%20first%20like%20to%20make%20an%20impact%20study%20of%20the%20removal%20of%20SSO%20and%20ADFS.%20Can%20you%20assess%20the%20impact%20on%20current%20operations%3F%20What%20would%20be%20the%20risks%20of%20incidents%3F%20Alternatives%20in%20Office%20365%20configurations%3F%20What%20details%20of%20information%20should%20we%20collect%20and%20check%20before%20any%20change%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1171436%22%20slang%3D%22fr-FR%22%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171700%22%20slang%3D%22en-US%22%3ERe%3A%20Suppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171700%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3EYou%20can%20use%20Azure%20AD%20only%2C%20without%20using%20AD.%20It's%20entirely%20possible.%20But%20without%20AAD%20Connect%20(or%20AAD%20Cloud%20Provisioning)%2C%20you%20would%20have%20to%20manually%20manage%20users%20in%20two%20separate%20directories.%20Users%20would%20potentially%20end%20up%20with%20two%20passwords%20to%20use.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20goal%20to%20go%20cloud%20only%20for%20authentication%20or%20will%20you%20still%20required%20Active%20Directory%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171741%22%20slang%3D%22fr-FR%22%3ERe%3A%20Suppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171741%22%20slang%3D%22fr-FR%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213341%22%20target%3D%22_blank%22%3E%40Mark%20Lewis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20architecture%20is%20with%20one-way%20synchronization.%20Any%20creation%20or%20modification%20must%20be%20done%20in%20the%20AD%20and%20it%20is%20synchronized%20afterwards%20in%20Office%20365.%20Management%20is%20done%20from%20the%20AD.%20The%20customer%20wants%20to%20install%20a%20secure%20gateway%20to%20authenticate%20users%20with%20an%20HR%20number%20before%20they%20access%20Office%20365.%20Suddenly%20all%20other%20solutions%20are%20excluded%20(Azure%20AD%20Connect%2C%20SSO%2C%20ADFS).%20Users%20will%20not%20have%20two%20passwords%2C%20but%20authentication%20with%20a%20password%20and%20an%20HR%20number.%20Looks%2C%20Gwendal%20IDOT.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171765%22%20slang%3D%22en-US%22%3ERe%3A%20Suppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171765%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3EAAD%20Connect%20doesn't%20authenticate%20users.%20It%20is%20provisioning%2Fupdating%20users%2C%20syncing%20passwords%20and%20where%20enabled%20doing%20password%20write-back.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20enough%20about%20the%20Secure%20Gateway%20(I%20have%20seen%20your%20other%20post%20on%20this)%20to%20advise%20on%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171791%22%20slang%3D%22en-US%22%3ERe%3A%20Suppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20a%20current%20IDP%20solution%20for%20the%20HR%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20look%20into%20products%20by%20Okta.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1172175%22%20slang%3D%22en-US%22%3ERe%3A%20Suppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1172175%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3E%26nbsp%3Bwhy%20would%20they%20want%20to%20make%20the%20user%20experience%20worse%3F%20Not%20a%20single%20user%20will%20like%20this%20change.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1176067%22%20slang%3D%22en-US%22%3ERe%3A%20Suppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176067%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3E%26nbsp%3BJust%20to%20make%20this%20clear.%20Azure%20AD%20%3CU%3Estays%20in%20all%20cases%20the%20trusted%20IDP%20for%20M365%2FO365%20services%3C%2FU%3E%20(or%20better%20saying%20so%20called%201st%20party%20services%20developed%20by%20Microsoft%20including%20Azure%20Services)%20and%20depending%20on%20the%20service%20being%20accessed%20and%20client%20application%20it%20uses%20WS-TRUST%2C%20OAuth%2FOIDC%20or%20in%20some%20cases%20SAML%20protocols..%20so%20even%20if%20a%20user%20identity%20is%20confirmed%2Fauthenticated%20by%20the%20%22customers%22%20IDP%20(ADFS%2FSecure%20Gateway%2FPingFed%2C%20Okta%2C%20whatever%20solution%2C%20etc)..%20the%20refresh%20and%20access%20tokens%20for%20O365%2FAzure%20services%20always%20come%20from%20AAD.%20In%20fact%20you%20can%20not%20replace%20AAD%20with%20your%20own%20IDP%2Fsolution.%20You%20can%20tell%20AAD%20to%20redirect%20the%20user%20to%20your%20own%20IDP%20for%20authentication%20(using%20federation%2For%20Conditonal%20Access%20custom%20controls)%2C%20but%20it%20has%20to%20return%20the%20user%20to%20AAD%20to%20finally%20get%20the%20refresh%2Faccess%20tokens.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20you%20control%20authentication%20on%20customers%20IDP%20to%20confirm%20the%20user%20identity%20is%20up%20to%20you%20and%20capabilities%20of%20the%20solution..this%20can%20be%20forms-based%2C%20SSO%20with%20kerberos%2C%20FIDO%2C%20with%20and%20without%20MFA%20etc...%20not%20to%20say%20that%20you%20can%20do%20all%20this%20with%20AAD%20natively....%20and%20do%20not%20forget%20device%20identity%20%2F%20compliance..%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFurthermore%20if%20not%20using%20MS%20IDP%20(AAD%20and%2For%20AFDS)%20you%20loose%20certain%20functionalities%2C%20like%20Cert%20Trust%20Keys%20for%20Windows%20Hello%20for%20Business...%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20might%20want%20to%20read%20a%20bit%20here%26nbsp%3B%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-overview%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E...%20to%20get%20a%20better%20understanding%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fauthentication-scenarios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fauthentication-scenarios%3C%2FA%3E%26nbsp%3Bmight%20be%20a%20start.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuote%3A%3C%2FP%3E%3CP%3E%3CEM%3E%22Any%20creation%20or%20modification%20must%20be%20done%20in%20the%20AD%20and%20it%20is%20synchronized%20afterwards%20in%20Office%20365.%26nbsp%3B%22%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20do%20not%20use%20Azure%20AD%20Connect..%20you%20will%20need%20to%20implement%20your%20own%20IAM%20user%20provisioning%20system..%20and%20you%20can%20not%20configure%20everything%20on-prem...%20you%20will%20need%20and%20MS%20Graph%20Interface%20from%20the%20IAM%20system..%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20more....%20I%20would%20recommend%20at%20least%20to%20build%20you%20own%20test%20environment%20to%20get%20more%20experience%20and%20either%20consult%20Microsoft%20Services%20directly%20or%20an%20experienced%20system%20implementer%2C%20before%20you%20continue...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1176180%22%20slang%3D%22en-US%22%3ERe%3A%20Suppression%20of%20SSO%20from%20the%20architecture%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176180%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555086%22%20target%3D%22_blank%22%3E%40gwendal55%3C%2FA%3E%20-%20you%20can%20get%20rid%20of%20ADFS%20and%20still%20keep%20SSO%20and%20authenticate%20on%20premise%20with%20Azure%20AD%20Connect.%20Search%20for%20Passthru%20Authentication.%3CBR%20%2F%3EI%20am%20not%20clear%20on%20your%20point%20about%20Secure%20Gateway%20and%20authenticate%20via%20HR%20system.%20HR%20system%20can%20act%20as%20identity%20source%2C%20but%20you%20don't%20have%20to%20rip%20apart%20your%20whole%20Azure%20AD%20Connect%20infra%20for%20it.%20Depending%20on%20which%20HR%20system%2C%20you%20might%20be%20able%20to%20fit%20it%20right%20in.%20(Look%20for%20Azure%20AD%20identity%20inbound%20provisioning).%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps.%3CBR%20%2F%3E%3CBR%20%2F%3EVik%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

My client wants to remove SSO from its architecture, as well as ADFS. Without subscribing to the Azure AD Connect solution. If possible, he would like the maximum configuration to be possible from the Office 365 administration center. To do this, he would first like to make an impact study of the removal of SSO and ADFS. Can you assess the impact on current operations? What would be the risks of incidents? Alternatives in Office 365 configurations? What details of information should we collect and check before any change ?

7 Replies
Highlighted

@gwendal55You can use Azure AD only, without using AD. It's entirely possible. But without AAD Connect (or AAD Cloud Provisioning), you would have to manually manage users in two separate directories. Users would potentially end up with two passwords to use.

 

Is the goal to go cloud only for authentication or will you still required Active Directory?

Highlighted

@Mark Lewis 

The architecture is with one-way synchronization. Any creation or modification must be done in the AD and it is synchronized afterwards in Office 365. Management is done from the AD. The customer wants to install a secure gateway to authenticate users with an HR number before they access Office 365. Suddenly all other solutions are excluded (Azure AD Connect, SSO, ADFS). Users will not have two passwords, but authentication with a password and an HR number. Regards, Gwendal IDOT.

Highlighted

@gwendal55AAD Connect doesn't authenticate users. It is provisioning/updating users, syncing passwords and where enabled doing password write-back.

 

I don't know enough about the Secure Gateway (I have seen your other post on this) to advise on this.

Highlighted

@gwendal55 

 

Do you have a current IDP solution for the HR users?

 

You could look into products by Okta.

Highlighted

@gwendal55 why would they want to make the user experience worse? Not a single user will like this change.

Highlighted

@gwendal55 Just to make this clear. Azure AD stays in all cases the trusted IDP for M365/O365 services (or better saying so called 1st party services developed by Microsoft including Azure Services) and depending on the service being accessed and client application it uses WS-TRUST, OAuth/OIDC or in some cases SAML protocols.. so even if a user identity is confirmed/authenticated by the "customers" IDP (ADFS/Secure Gateway/PingFed, Okta, whatever solution, etc).. the refresh and access tokens for O365/Azure services always come from AAD. In fact you can not replace AAD with your own IDP/solution. You can tell AAD to redirect the user to your own IDP for authentication (using federation/or Conditonal Access custom controls), but it has to return the user to AAD to finally get the refresh/access tokens.

 

How you control authentication on customers IDP to confirm the user identity is up to you and capabilities of the solution..this can be forms-based, SSO with kerberos, FIDO, with and without MFA etc... not to say that you can do all this with AAD natively.... and do not forget device identity / compliance.. 

 

Furthermore if not using MS IDP (AAD and/or AFDS) you loose certain functionalities, like Cert Trust Keys for Windows Hello for Business... 

 

You might want to read a bit here https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview

 

... to get a better understanding https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios might be a start.

 

Quote:

"Any creation or modification must be done in the AD and it is synchronized afterwards in Office 365. "

 

If you do not use Azure AD Connect.. you will need to implement your own IAM user provisioning system.. and you can not configure everything on-prem... you will need and MS Graph Interface from the IAM system.. 

 

and more.... I would recommend at least to build you own test environment to get more experience and either consult Microsoft Services directly or an experienced system implementer, before you continue... 

Highlighted
@gwendal55 - you can get rid of ADFS and still keep SSO and authenticate on premise with Azure AD Connect. Search for Passthru Authentication.
I am not clear on your point about Secure Gateway and authenticate via HR system. HR system can act as identity source, but you don't have to rip apart your whole Azure AD Connect infra for it. Depending on which HR system, you might be able to fit it right in. (Look for Azure AD identity inbound provisioning).

Hope this helps.

Vik