AD FS failover login to Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-107663%22%20slang%3D%22en-US%22%3EAD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-107663%22%20slang%3D%22en-US%22%3E%3CP%3ENewbee%20here%2C%20We%20have%20an%20O365%20environment%20where%20we%20log%20in%20to%20O365%20via%20AD%20FS.%26nbsp%3B%20We%20have%20had%20many%20unplanned%20outage%20(not%20controlled%20by%20IT%20and%20many%20more%20scheduled)%26nbsp%3B%20which%20has%20taken%20down%20power%20to%20our%20data%20center%2C%20which%20includes%20our%20AD%20FS%20server.%26nbsp%3B%20How%20do%20others%20fail%20over%20to%20logging%20into%20the%20cloud%20instead%20of%20being%20down%20becasue%20of%20a%20power%20outage%20to%20your%20data%20center%3F%26nbsp%3B%20We%20would%20like%20to%20by%20default%20use%20AD%20FS%20but%20fail%20over%20to%20cloud%20if%20AD%20FS%20is%20down.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-107663%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108374%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108374%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20everyone%20for%20the%20responses.%26nbsp%3B%20I%20am%20working%20with%20our%20Infrastructure%20Team%20on%20next%20steps.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108365%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108365%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree.%20%26nbsp%3BPass%20Through%20Authentication%20worth%20considering%20too.%20%26nbsp%3BJust%20be%20sure%20to%20check%20the%20supported%20%2F%20unsupported%20scenarios%2C%20especially%20if%20using%26nbsp%3B%3CSPAN%3Elegacy%20Office%20client%20applications%20(Office%202013%20or%20earlier)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication-current-limitations%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication-current-limitations%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108335%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108335%22%20slang%3D%22en-US%22%3E%3CP%3EBetter%20yet%2C%20as%20your%20organization%20doesnt%20seem%20to%20have%20the%20operational%20maturity%20to%20use%20AD%20FS%2C%20consider%20switching%20to%20Pass-trhough%20auth%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication%3C%2FA%3E).%20It%20offers%20almost%20all%20benefits%20of%20AD%20FS%2C%20with%20greatly%20reduced%20on-premises%20footprint.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108240%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108240%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nathan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%20Dominics%20comments.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20food%20for%20throught%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FADFS-Design-Considerations-f30c0b95%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FADFS-Design-Considerations-f30c0b95%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20see%20discussion%20here%20on%20switching%20from%20federated%20to%20synchronized%20identity%20-%20especially%20if%20ADFS%20is%20offline%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIdentity-Authentication%2FAdvice-on-moving-from-AD-Connect-with-Password-Sync-to-ADFS%2Fm-p%2F59155%23M286%26nbsp%3B%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FIdentity-Authentication%2FAdvice-on-moving-from-AD-Connect-with-Password-Sync-to-ADFS%2Fm-p%2F59155%23M286%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108186%22%20slang%3D%22en-US%22%3ERe%3A%20AD%20FS%20failover%20login%20to%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108186%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Nathan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20have%20a%20high%20availability%20solution%20for%20AD%20FS%20with%20load%20balances%20AD%20FS%20and%20AD%20FS%20proxy%20servers.%20You%20can%20switch%20from%20single%20sign-on%20to%20password%20sync%20manually%20during%20an%20outage%20to%20give%20your%20users%20access%20to%20Office%20365%20applications.%20Or%20you%20can%20enable%20password%20sync%20as%20a%20backup%20option%20if%20single%20sign-on%20won't%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20find%20more%20information%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.edx.org%2Fcourse%2Fmanage-office-365-identities-microsoft-cld243x%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.edx.org%2Fcourse%2Fmanage-office-365-identities-microsoft-cld243x%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Dominik%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Newbee here, We have an O365 environment where we log in to O365 via AD FS.  We have had many unplanned outage (not controlled by IT and many more scheduled)  which has taken down power to our data center, which includes our AD FS server.  How do others fail over to logging into the cloud instead of being down becasue of a power outage to your data center?  We would like to by default use AD FS but fail over to cloud if AD FS is down.

 

Thoughts? 

5 Replies

Hi Nathan,

 

You should have a high availability solution for AD FS with load balances AD FS and AD FS proxy servers. You can switch from single sign-on to password sync manually during an outage to give your users access to Office 365 applications. Or you can enable password sync as a backup option if single sign-on won't work.

 

You can find more information here: https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-...

 

https://www.edx.org/course/manage-office-365-identities-microsoft-cld243x

 

- Dominik

Hi Nathan,

 

I agree with Dominics comments.

 

More food for throught here https://gallery.technet.microsoft.com/ADFS-Design-Considerations-f30c0b95 

 

Also, see discussion here on switching from federated to synchronized identity - especially if ADFS is offline

https://techcommunity.microsoft.com/t5/Identity-Authentication/Advice-on-moving-from-AD-Connect-with...

Better yet, as your organization doesnt seem to have the operational maturity to use AD FS, consider switching to Pass-trhough auth (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...). It offers almost all benefits of AD FS, with greatly reduced on-premises footprint.

I agree.  Pass Through Authentication worth considering too.  Just be sure to check the supported / unsupported scenarios, especially if using legacy Office client applications (Office 2013 or earlier)

 

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-thr...

Thanks everyone for the responses.  I am working with our Infrastructure Team on next steps.