Oct 31 2022 05:37 AM
Oct 31 2022 05:37 AM
In my environment, I am using an ADFS on Windows server 2019.
I would like to apply the process to convert Azure Registered computers to Hybrid AD Join states using ADCONNECT server.
My question is:
Even though I have an ADFS working in my domain, could I use Azure Active Directory as Atuthentication Service instead of my ADFS onprem? (during the process on ADCONNECT to Hybrid AD JOIN computers)
Oct 31 2022 07:18 PM - edited Oct 31 2022 07:19 PM
i think you’re asking two questions, the first one is converting Azure AD Registered devices to Hybrid Azure AD. The second one is authenticating to Azure AD instead of ADFS farm.
Question 1- You need to use GPO if the devices are joined to the domain. If not joined, you need to manually enroll it.
Question 2- You need to change the setting in your ADConnect to select different Sign in method like Password Sync, Passthrough or Seamless Single Sign On, here is a great post I used back in the day to move away from ADFS.
Hope this helps!
Nov 01 2022 02:45 PM - edited Nov 01 2022 02:49 PM
Configure Device Writeback in AD Connect and sync the OUs with machines, per Configure hybrid Azure Active Directory join for managed domains.
According to MSFT, such devices will convert from Azure AD Registered to Hybrid Azure AD Joined and in most cases will cleanup the old record. It may take a while for all devices to process, though. See: Plan hybrid Azure Active Directory join - Azure Active Directory.
Regarding Q2 and @Moe_Kinani's response, yes changing AD Connect would move away from ADFS, but just be aware it'd change the auth flow of the tenant. You could still use ADFS for other federated Relying Parties if needed, just the Office 365 integration would change over to Azure AD auth.
Please like and mark this thread as answered if it's helpful, thanks!
Nov 02 2022 02:23 AM
Thanks Kurt for your reply, very helpful for me because I am beginner.
My first goal is to convert all of the company's computers to hybrid ADJOINs.
We also have a future goal to get rid of ADFS, so that's why I'm wondering if instead of choosing our ADFS, I could choose Azure AD as the authentication service:
Many thanks for your help again,