Feb 23 2021
- last edited on
Jan 14 2022
The article above has got me curious and I can't find an answer to my questions. I've also opened an issue on GitHub, and have read as many blog articles as I can find, but all that I've found just repeat the info that is stated in the Docs article.
In the section Configure hybrid Azure AD join step 6.b states:
Select the authentication service. You must select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync, or your organization uses seamless SSO.
So then, let's say we have all Windows 10, the statement leaves two possibilities:
I can understand that if we fall into #1, then we need to select our ADFS for the Authentication Service. But why is that? SSSO involves automatic logon to an internet (Microsoft/Azure AD) URL; it doesn't involve ADFS. For ADFS' own SSO to work, the ADFS STS URL (or FQDN) needs to be added to the Local Intranet zone which needs to be configured for for automatic logon. So SSSO and ADFS SSO are two different things. Therefore, it's not clear why SSSO has any bearing on this choice for the SCP config's Authentication Service. What is the reason for this?
Next, if we fall into #2 (no SSSO configured in AAD Connect (and related additional config that goes with it)), why might we choose ADFS over Azure AD? Similarly, why might we choose Azure AD over ADFS?
There is one other part of the article that is also unclear to me, again related to the Authentication Service. If we have the Authentication Service set to use Azure AD, do we still need to worry about this ADFS-based pre-requisite?:
A federated environment should have an identity provider that supports the following requirements. If you have a federated environment using Active Directory Federation Services (AD FS), then the below requirements are already supported.
WIAORMULTIAUTHN claim: This claim is required to do hybrid Azure AD join for Windows down-level devices.
WS-Trust protocol: This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD. When you're using AD FS, you need to enable the following WS-Trust endpoints: /adfs/services/trust/2005/windowstransport /adfs/services/trust/13/windowstransport /adfs/services/trust/2005/usernamemixed /adfs/services/trust/13/usernamemixed /adfs/services/trust/2005/certificatemixed /adfs/services/trust/13/certificatemixed
Specifically the WS-Trust protocol.. If the SCP / Authentication Service is pointing to Azure AD, I'm unsure if this requirement is still relevant. I assume the answer to this last part is yes, and the reason for that assumption is the Office 365 relying party trust claim rules that need to be added to support HAADJ. Not sure though if I'm correct on this assumption or not.
Does anyone happen to have clarity around this that you can share with me?
Thanks in advance.
Apr 12 2021 07:34 AM
Apr 21 2021 06:28 AM
I agree it's somewhat convoluted and I can't answer all of your questions but in terms of the authentication service, this is my understanding - think of how a user authenticates when logging into a laptop let's say - is it against a domain controller or Azure AD? Since we're talking about Hybrid Azure AD Join, Azure AD Connect, etc. I'm assuming in your case it's the first and you're dealing with a federated domain so the authentication service would be your ADFS server. Similarly, when you log into portal.office.com or portal.azure.com etc. and enter firstname.lastname@example.org Microsoft will recognize the domain is federated and send you to your ADFS server to enter your credentials. If you were logging in as email@example.com, then authentication would happen on Microsoft's end in Azure AD and that would be your authentication service.
As to Seamless SSO in the context of Hybrid Azure AD Join and Windows 10, please note this bit from the docs:
"For Windows 10, Windows Server 2016 and later versions, it’s recommended to use SSO via primary refresh token (PRT).
Seamless SSO needs the user's device to be domain-joined, but it is not used on Windows 10 Azure AD joined devices or hybrid Azure AD joined devices. SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices works based on the Primary Refresh Token (PRT)"
Apr 28 2021 04:56 AM
Nov 04 2021 08:22 AM
Nov 04 2021 09:44 AM
But the explanation is a little more detailed than just that we need to sync the OU where the devices sit if/when we choose Azure AD as the Authentication Service.
The answer is that when we have ADFS in use / domains are federated in our O365 tenant, then we can pick either option in AAD Connect for the Authentication Service. Both will work. BUT, when you choose Azure AD, A) you have to make sure you sync the OU where the devices are, and B) you should expect a delay for Hybrid Azure AD Join process to be fully complete and reflect in Azure AD, and this is due to having to wait for the AAD Connect sync interval to take place.
When you choose ADFS instead, the syncing of the OU where the devices are isn't required, because the registered devices will be registered in ADFS/on-premises AD, and so there is no sync delay before the Hybrid Azure AD Join state can be satisfied.
Quoted directly from the GitHub issue, here was my final confirmed explanation, which they confirmed as correct:
to confirm I understand this correctly, customers with federated identity can set the SCP to either ADFS or AAD, but the ADFS option is the one that circumvents the AAD Connect sync delay. If the sync delay is not a concern, those federated customers can instead set the SCP to AAD.
Sound correct? And thanks for coming back to this issue.
It's still a little fuzzy for me as to what would be smarter/smartest to advise a customer to go with, but I will say, I would advise against ADFS in favor of federating directly with Azure AD (i.e., setup single sign-on for Azure AD apps). This opinion is based on the simplicity of Azure AD alone vs Azure AD + ADFS, which continually gets more and more complicated as new things get invented.
Jun 22 2022 11:26 PM
@Jeremy Bradshaw Hey Jeremy, so glad to see this response. Would this explain why hybrid domain join devices (with ADFS) will not sync to Azure AD? Meaning if you disable an OnPrem AD computer, it will not be disabled in Azure AD. I'm wondering how to manage stale computer objects when you have a hybrid domain join with ADFS.
Jun 23 2022 04:20 AM - edited Jun 23 2022 04:54 AM
AD FS has nothing to do with syncing attribute values. That's the sole purview of AAD Connect.
If you jump onto the AAD Connect box - and assuming you have the necessary rights to run it - you can launch the sync engine console (miisclient.exe) to check out any synchronisation errors, or even just to get some insight as to what is synchronising from your on-premise forest to Azure Active Directory.
You'd also want to check the AAD Connect configuration wizard to ensure nobody's either discontinued device synchronisation or perhaps even scoped out the on-premise organisational unit you're currently focusing on checking.
You can also break out to a number of different PowerShell modules that cover everything from AD, to AAD Connect, and then AAD itself, but that's not a great place to start. Check your sync configuration and any errors first as mentioned above.
Edited: Spelling correction.
Jun 23 2022 04:20 PM
@LainRobertson hey Lain, thx for the reply...i understand that AAD connect is the one doing the syncing, not ADFS. What i wanted to clarify is this statement from Microsoft below regarding managing stale hybrid domain join devices
If you have Hybrid Domain Join with ADFS, machines disabled onPrem will not be synced to Azure AD
Jun 23 2022 04:43 PM - edited Jun 23 2022 09:40 PM
That's not correct.
What the boxed-in-red part is saying is that if you:
This is simply because AAD Connect will only manage Windows 10 or later device objects.
The reference to AD FS is simply acknowledging that it performs an authentication function in environments that have AD FS (even if you don't use AAD Connect), and for which the registered domain is classified as Federated and not Managed.
Here's an illustration of a disabled Windows 10 device in AAD (first command line result) and on-premise (second command line result.)
Below, you can see from miisclient.exe (on the AAD Connect host) where and how this is being calculated from on-premise.
Lastly, you can see via the official documentation that this is an intended attribute flow (i.e. not something we've customised.)
In short, if your domain is Federated, you operate AAD Connect and have Windows 10 devices, then enabled/disabled should certainly (subject to AAD Connect configuration, scoping, etc.) be synchronising.
Edited: Re-phrased fourth paragraph to be less ambiguous (hopefully) in it's interpretation, plus fixed a typo.