Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure Active Directory and ADFS

Copper Contributor

We had recently upgrade to M365 E3 with Azure AD Premium 1.  We currently had ADFS configured (hybrid mode). We intended to have a back-up authentication in situation where if the AD on premise is down, the user should be able to get authenticated automatically by Azure AD. 

 

How shall i go about that? How can configure that if the AD on-prem is down, the authentication will be automatically authenticated by Azure AD? I understand that with ADFS the authentication is relying on the AD on premise. I also know about the AD Connect pass-through but that is provided if the AD on premise is still running and ADFS is down. What about situation where there is no access to the AD on premise? 

 

Please advice. 

6 Replies

There is no automatic fallback option, neither with AD FS or PTA. First of all, you should be deploying them in HA configuration, at least 2 machines and preferably in different datacenters, at a minimum. Some people choose to have one of the AD FS farm nodes in Azure VM.

 

If all AD FS nodes are down, you have to perform manual actions to change the authentication method. Same goes for PTA. Having password sync configured as backup (https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-...) is a way to make the process faster/easier, but it's not an automatic failover solution.

Thank you Vasil Michev for the clarification.

I relook into your reply, if I have Azure Active Directory already setup on the Cloud and is sync via the Azure Active Directory connect (AAD Connect), can I just install an instance of AD FS on the Azure cloud and get the user to be authenticated via AD FS on Azure and validated by Azure Active Directory?  Does it still require the on premise Active Directory then?

 

 

 

 

 

 

best response confirmed by Augustine Chua (Copper Contributor)
Solution

No, you cant, as Azure AD is NOT any sort of replacement for "traditional" AD. You cannot "join" servers to it. You can however spin up Azure VM in the cloud and extend your on-premises AD with a DC running in Azure, and deploy AD FS as well. Take a look at the guidance here to get started: https://msdn.microsoft.com/library/azure/jj156090.aspx

Thank you again, Vasil for the reply. Most of our users email is residing on cloud (O365 Exchange online). Am i correct to say that i do not require AD FS to connect to my mail on the cloud as it can be authenticated by the Azure AD using the same login ID and password since I have configured the Azure AD Connect when i access them remotely whereby for users connected on the on-premise network will require AD FS to access to the SaaS application on the cloud?

AD FS is not a requirement, it's just one of the available methods to configure in regards to authentication. AAD Connect with password sync will also allow you to use the same set of credentials, so will PTA/SSO. In general, unless you have some specific requirements, AD FS is an overkill. Especially for small organizations.

1 best response

Accepted Solutions
best response confirmed by Augustine Chua (Copper Contributor)
Solution

No, you cant, as Azure AD is NOT any sort of replacement for "traditional" AD. You cannot "join" servers to it. You can however spin up Azure VM in the cloud and extend your on-premises AD with a DC running in Azure, and deploy AD FS as well. Take a look at the guidance here to get started: https://msdn.microsoft.com/library/azure/jj156090.aspx

View solution in original post