Home

AD FS failover login to Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-107663%22%20slang%3D%22en-US%22%3EAD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-107663%22%20slang%3D%22en-US%22%3E%3CP%3ENewbee%20here%2C%20We%20have%20an%20O365%20environment%20where%20we%20log%20in%20to%20O365%20via%20AD%20FS.%26nbsp%3B%20We%20have%20had%20many%20unplanned%20outage%20(not%20controlled%20by%20IT%20and%20many%20more%20scheduled)%26nbsp%3B%20which%20has%20taken%20down%20power%20to%20our%20data%20center%2C%20which%20includes%20our%20AD%20FS%20server.%26nbsp%3B%20How%20do%20others%20fail%20over%20to%20logging%20into%20the%20cloud%20instead%20of%20being%20down%20becasue%20of%20a%20power%20outage%20to%20your%20data%20center%3F%26nbsp%3B%20We%20would%20like%20to%20by%20default%20use%20AD%20FS%20but%20fail%20over%20to%20cloud%20if%20AD%20FS%20is%20down.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-107663%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108374%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108374%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20everyone%20for%20the%20responses.%26nbsp%3B%20I%20am%20working%20with%20our%20Infrastructure%20Team%20on%20next%20steps.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108365%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108365%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree.%20%26nbsp%3BPass%20Through%20Authentication%20worth%20considering%20too.%20%26nbsp%3BJust%20be%20sure%20to%20check%20the%20supported%20%2F%20unsupported%20scenarios%2C%20especially%20if%20using%26nbsp%3B%3CSPAN%3Elegacy%20Office%20client%20applications%20(Office%202013%20or%20earlier)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication-current-limitations%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication-current-limitations%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108335%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108335%22%20slang%3D%22en-US%22%3E%3CP%3EBetter%20yet%2C%20as%20your%20organization%20doesnt%20seem%20to%20have%20the%20operational%20maturity%20to%20use%20AD%20FS%2C%20consider%20switching%20to%20Pass-trhough%20auth%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication%3C%2FA%3E).%20It%20offers%20almost%20all%20benefits%20of%20AD%20FS%2C%20with%20greatly%20reduced%20on-premises%20footprint.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108240%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108240%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nathan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%20Dominics%20comments.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20food%20for%20throught%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FADFS-Design-Considerations-f30c0b95%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FADFS-Design-Considerations-f30c0b95%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20see%20discussion%20here%20on%20switching%20from%20federated%20to%20synchronized%20identity%20-%20especially%20if%20ADFS%20is%20offline%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIdentity-Authentication%2FAdvice-on-moving-from-AD-Connect-with-Password-Sync-to-ADFS%2Fm-p%2F59155%23M286%26nbsp%3B%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIdentity-Authentication%2FAdvice-on-moving-from-AD-Connect-with-Password-Sync-to-ADFS%2Fm-p%2F59155%23M286%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108186%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108186%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nathan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20have%20a%20high%20availability%20solution%20for%20AD%20FS%20with%20load%20balances%20AD%20FS%20and%20AD%20FS%20proxy%20servers.%20You%20can%20switch%20from%20single%20sign-on%20to%20password%20sync%20manually%20during%20an%20outage%20to%20give%20your%20users%20access%20to%20Office%20365%20applications.%20Or%20you%20can%20enable%20password%20sync%20as%20a%20backup%20option%20if%20single%20sign-on%20won't%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20find%20more%20information%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.edx.org%2Fcourse%2Fmanage-office-365-identities-microsoft-cld243x%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.edx.org%2Fcourse%2Fmanage-office-365-identities-microsoft-cld243x%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Dominik%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Newbee here, We have an O365 environment where we log in to O365 via AD FS.  We have had many unplanned outage (not controlled by IT and many more scheduled)  which has taken down power to our data center, which includes our AD FS server.  How do others fail over to logging into the cloud instead of being down becasue of a power outage to your data center?  We would like to by default use AD FS but fail over to cloud if AD FS is down.

 

Thoughts? 

5 Replies

Hi Nathan,

 

You should have a high availability solution for AD FS with load balances AD FS and AD FS proxy servers. You can switch from single sign-on to password sync manually during an outage to give your users access to Office 365 applications. Or you can enable password sync as a backup option if single sign-on won't work.

 

You can find more information here: https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-...

 

https://www.edx.org/course/manage-office-365-identities-microsoft-cld243x

 

- Dominik

Hi Nathan,

 

I agree with Dominics comments.

 

More food for throught here https://gallery.technet.microsoft.com/ADFS-Design-Considerations-f30c0b95 

 

Also, see discussion here on switching from federated to synchronized identity - especially if ADFS is offline

https://techcommunity.microsoft.com/t5/Identity-Authentication/Advice-on-moving-from-AD-Connect-with...

Better yet, as your organization doesnt seem to have the operational maturity to use AD FS, consider switching to Pass-trhough auth (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...). It offers almost all benefits of AD FS, with greatly reduced on-premises footprint.

I agree.  Pass Through Authentication worth considering too.  Just be sure to check the supported / unsupported scenarios, especially if using legacy Office client applications (Office 2013 or earlier)

 

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

Thanks everyone for the responses.  I am working with our Infrastructure Team on next steps. 

Related Conversations
Dont see any Contact in Teams
nicb in Microsoft Teams on
2 Replies
OUTLOOK JUNK FOLDER DUPLICATION BUG
Phil Gibbs in Office 365 on
1 Replies
Problem with Office 365 ProPlusRetail Deployment tool
Matej_Brcic in Deployment on
2 Replies
Is Office insider only for Office 365?
HotCakeX in Office Insider on
2 Replies
A problem with the Zoom level of a Tab
Tavory in Discussions on
9 Replies