Azure AD Connect SSO

%3CLINGO-SUB%20id%3D%22lingo-sub-966400%22%20slang%3D%22en-US%22%3EAzure%20AD%20Connect%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-966400%22%20slang%3D%22en-US%22%3E%3CP%3EO365%20office%2C%2030%20users%2C%20been%20on%20O365%20for%203%20years.%20Life%20is%20great.%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20set%20up%20O365%2C%20I%20just%20created%20new%20users%20in%20the%20cloud%20and%20implemented%20hyper%20secure%20passwords%20informing%20my%20users%20they%20would%20no%20longer%20have%20to%20change%20them%20every%2090%20days.%20(10%20characters%20at%20least%2C%20Cap%2BNum%2BSym).%20So%20we've%20had%20on%20prem%20and%20cloud%20accounts.%20No%20big%20deal%2C%20same%20passwords%2C%20everything%20is%20fine.%20Yea%2C%20you%20have%20to%20renenter%20passwords%20some%20times%20but%20my%20users%20were%20fine%20with%20it.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20want%20to%20end%20this%20and%20do%20SSO.%20I've%20been%20hemming%20and%20hawing%20about%20this%20for%20weeks.%26nbsp%3B%3C%2FP%3E%3CP%3EA%20few%20questions%3A%3C%2FP%3E%3CUL%3E%3CLI%3EEvery%20single%20thing%20I%20read%20%22Make%20sure%20you%20install%20this%20on%202%20servers%20for%20redundancy%22.%20I%20only%20have%20one%202012%20server.%20Since%20I%20started%20here%208%20years%20ago%20we%20have%20been%20shutting%20servers%20down%2C%20not%20adding%20more.%20We%20had%204%20when%20I%20started%208%20years%20ago.%20Today%20we%20have%202%20but%20the%202nd%20is%20a%202003%20server%20that%20ONLY%20handles%20DNS%20and%20basically%20backs%20up%20the%202012.%20But%20connect%20won't%20run%20on%20that.%20And%20I%20plan%20to%20shut%20that%20down%201Q%202020.%20Thoughts%20on%20that%3F%3C%2FLI%3E%3CLI%3EAccording%20to%20this%3A%3CEM%3E%26nbsp%3BIf%20you%20uninstall%20a%20Pass-through%20Authentication%20Agent%20from%20a%20server%2C%20it%20causes%20the%20server%20to%20stop%20accepting%20sign-in%20requests.%20To%20avoid%20breaking%20the%20user%20sign-in%20capability%20on%20your%20tenant%2C%20ensure%20that%20you%20have%20another%20Authentication%20Agent%20running%20before%20you%20uninstall%20a%20Pass-through%20Authentication%20Agent.%26nbsp%3B%3C%2FEM%3EI%20want%20to%20test%20this%20today%20on%20my%20computer%20today.%20If%20I%20don't%20like%20it%20or%20something%20doesn't%20work%20I%20cannot%20go%20back%20without%20a%20different%20AA%20in%20place%3F%20It%20just%20won't%20start%20working%20again%20like%20it%20does%20right%20now%3F%26nbsp%3B%3C%2FLI%3E%3CLI%3EAm%20I%20missing%20anything%20else%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EAm%20I%20overthinking%20this%3F%20(I'm%20sure%20I%20am%2C%20I%20am%20overly%20protective%20of%20my%20infrastructure).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-966400%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-966805%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-966805%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294991%22%20target%3D%22_blank%22%3E%40AliceChained%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20have%20SSO%20and%20you%20do%20not%20want%20to%20have%20on-premises%20servers%2C%20you%20can%20do%20it%20with%20Azure%20Active%20Directory%20Domain%20Services%2C%20bellow%20are%20some%20link's%20about%20your%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Factive-directory-ds%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Factive-directory-ds%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fcompare-identity-solutions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fcompare-identity-solutions%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Foverview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ENuno%20%C3%81rias%20Silva%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968128%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968128%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294991%22%20target%3D%22_blank%22%3E%40AliceChained%3C%2FA%3E%26nbsp%3BHi%3C%2FP%3E%3CP%3EYou%20are%20fine%20with%20one%20AD%20Connect%20server.%20If%20your%20server%20dies%2C%20you%20will%20have%20lost%20the%20whole%20of%20AD%20which%20will%20be%20more%20of%20an%20issue.%20Assuming%20you%20can%20recover%20your%20on-prem%20AD%2C%20then%20you%20will%20just%20be%20able%20to%20reinstall%20AD%20connect%20and%20it%20will%20carry%20on%20syncing%20as%20before.%20So%20don't%20worry%20about%20that.%3C%2FP%3E%3CP%3EWhat%20you%20need%20to%20be%20more%20careful%20of%20is%20making%20sure%20that%20AD%20connect%20will%20correctly%20match%20up%20on-prem%20users%20with%20existing%20cloud%20users.%20You%20don't%20want%20to%20end%20up%20with%20duplicates.%20This%20is%20called%20soft%20matching%2C%20basically%20the%20UPN%20and%20primary%20SMTP%20address%20(proxyaddress)%20need%20to%20match%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-install-existing-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-install-existing-tenant%3C%2FA%3E%26nbsp%3Bfor%20more%20info.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFinally%2C%20how%20are%20you%20going%20to%20manage%20email%20attributes%20when%20you%20are%20in%20sync%3F%20You%20may%20not%20know%20that%20once%20users%20are%20synced%20from%20your%20AD%2C%20all%20email%20attributes%20have%20to%20originate%20in%20your%20AD%20(it%20won't%20let%20you%20do%20this%20in%20Exchange%20Online%20any%20more).%20You%20have%202%20options%3A%3C%2FP%3E%3CP%3E1.%20Use%20AD%20Users%20and%20Computers%20attribute%20editor%20to%20edit%20proxyaddresses.%20This%20is%20unsupported%20however.%3C%2FP%3E%3CP%3E2.%20Install%20a%20free%20Exchange%20server%20which%20is%20just%20used%20for%20managing%20user%20attributes.%26nbsp%3B%3CSPAN%3EFor%20Office%20365%20plans%20you%20get%20a%20free%20Exchange%20Server%20Hybrid%20Key%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fhybridkey%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fhybridkey%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968715%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968715%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50%22%20target%3D%22_blank%22%3E%40Nuno%20Silva%3C%2FA%3E%26nbsp%3BThank%20you%20for%20that.%20Still%20reading%20those.%20I'm%20absolutely%20not%20opposed%20to%20keeping%20one%20server%20in%20house%2C%20though.%20I%20certainly%20still%20do%20need%20a%20Print%20server%20for%20the%20forseeable%20future.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431307%22%20target%3D%22_blank%22%3E%40CloudHal%3C%2FA%3E%26nbsp%3BHa.%20Great%20point%20about%20only%20one%20server.%20Thanks%20for%20that.%3C%2FP%3E%3CP%3EI%20read%20that%20existing%20Tenant%20document%20already.%20I've%20been%20reading%20and%20researching%20this%20for%20some%20time.%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20on%20prem%20UPN%20has%20set%20to%20the%20FQDN%20for%20some%20time.%20That%20was%20one%20of%20my%20biggest%20fears%2C%20duplicate%20users%20or%20breaking%20existing%20email%20accounts.%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3ERe%3A%20managing%20attributes.%20Wait%20wait%20wait...%20what%3F%20Ok%2C%20this%20is%20the%20first%20I've%20heard%20that%20I%20should%20install...%20an%20Exchange%20server%3F!%3F%20Did%20I%20mention%20I've%20been%20reading%20and%20researching%20this%20for%20a%20while%3F!%3F%20And%20AD%20Users%20%26amp%3B%20C%20is...%20unsupported%3F%20What%3F%20WHAT%3F%20I%20can't%20wrap%20my%20head%20around%20MS%20not%20supporting%20that%20method.%20ha.%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20screwing%20around%20with%20a%20server%20just%20to%20do%20that.%20The%20day%20I%20decommissioned%20my%20Exchange%20server%20was%20a%20happy%20day.%20lol%20So%20without%20a%20server%2C%20do%20I%20have%20to%20CREATE%20new%20users%20in%20ADSIEdit%20too%3F%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968843%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Connect%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968843%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294991%22%20target%3D%22_blank%22%3E%40AliceChained%3C%2FA%3E%26nbsp%3Byes%20this%20is%20a%20surprise%20to%20a%20lot%20of%20people...basically%20as%20soon%20as%20you%20are%20syncing%20from%20on-prem%20AD%2C%20you%20have%20to%20manage%20email%20attributes%20in%20your%20on-prem%20AD%20(otherwise%20you%20would%20not%20be%20able%20to%20add%20secondary%20SMTP%20address%20for%20example)%2C%20and%20currently%2C%20the%20only%20supported%20way%20of%20doing%20that%20is%20using%20Exchange.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20do%20not%20want%20to%20do%20that%2C%20you%20can%20just%20create%20users%20in%20AD%20as%20normal%2C%20and%20us%20AD%20users%20%26amp%3B%20Computers%20(Advanced%20view%20-%20attribute%20editor)%20to%20define%20the%20SMTP%20addresses%20(in%20the%20proxyaddress%20attribute).%20Check%20out%20this%20page%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fexchange%2Fdecommission-on-premises-exchange%3Fredirectedfrom%3DMSDN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fexchange%2Fdecommission-on-premises-exchange%3Fredirectedfrom%3DMSDN%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E'The%20question%20of%20whether%20a%20third-party%20management%20tool%20or%20ADSIEDIT%20can%20be%20used%20is%20often%20asked.%20The%20answer%20is%20you%20can%20use%20them%2C%20but%20they%20are%20not%20supported.%20The%20Exchange%20Management%20Console%2C%20the%20Exchange%20admin%20center%20(EAC)%2C%20and%20the%20Exchange%20Management%20Shell%20are%20the%20only%20supported%20tools%20that%20are%20available%20to%20manage%20Exchange%20recipients%20and%20objects.%26nbsp%3B'%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

O365 office, 30 users, been on O365 for 3 years. Life is great. 

When I set up O365, I just created new users in the cloud and implemented hyper secure passwords informing my users they would no longer have to change them every 90 days. (10 characters at least, Cap+Num+Sym). So we've had on prem and cloud accounts. No big deal, same passwords, everything is fine. Yea, you have to renenter passwords some times but my users were fine with it.  

Now I want to end this and do SSO. I've been hemming and hawing about this for weeks. 

A few questions:

  • Every single thing I read "Make sure you install this on 2 servers for redundancy". I only have one 2012 server. Since I started here 8 years ago we have been shutting servers down, not adding more. We had 4 when I started 8 years ago. Today we have 2 but the 2nd is a 2003 server that ONLY handles DNS and basically backs up the 2012. But connect won't run on that. And I plan to shut that down 1Q 2020. Thoughts on that?
  • According to this: If you uninstall a Pass-through Authentication Agent from a server, it causes the server to stop accepting sign-in requests. To avoid breaking the user sign-in capability on your tenant, ensure that you have another Authentication Agent running before you uninstall a Pass-through Authentication Agent. I want to test this today on my computer today. If I don't like it or something doesn't work I cannot go back without a different AA in place? It just won't start working again like it does right now? 
  • Am I missing anything else?

Am I overthinking this? (I'm sure I am, I am overly protective of my infrastructure). 

4 Replies
Highlighted

Hi @AliceChained,

 

To have SSO and you do not want to have on-premises servers, you can do it with Azure Active Directory Domain Services, bellow are some link's about your scenario.

 

https://azure.microsoft.com/en-us/services/active-directory-ds/ 

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview

 

Best regards,

Nuno Árias Silva

Highlighted

@AliceChained Hi

You are fine with one AD Connect server. If your server dies, you will have lost the whole of AD which will be more of an issue. Assuming you can recover your on-prem AD, then you will just be able to reinstall AD connect and it will carry on syncing as before. So don't worry about that.

What you need to be more careful of is making sure that AD connect will correctly match up on-prem users with existing cloud users. You don't want to end up with duplicates. This is called soft matching, basically the UPN and primary SMTP address (proxyaddress) need to match, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenan... for more info.

 

Finally, how are you going to manage email attributes when you are in sync? You may not know that once users are synced from your AD, all email attributes have to originate in your AD (it won't let you do this in Exchange Online any more). You have 2 options:

1. Use AD Users and Computers attribute editor to edit proxyaddresses. This is unsupported however.

2. Install a free Exchange server which is just used for managing user attributes. For Office 365 plans you get a free Exchange Server Hybrid Key: http://aka.ms/hybridkey

Highlighted

@Nuno Silva Thank you for that. Still reading those. I'm absolutely not opposed to keeping one server in house, though. I certainly still do need a Print server for the forseeable future. 

 

@CloudHal Ha. Great point about only one server. Thanks for that.

I read that existing Tenant document already. I've been reading and researching this for some time. 

My on prem UPN has set to the FQDN for some time. That was one of my biggest fears, duplicate users or breaking existing email accounts.    

Re: managing attributes. Wait wait wait... what? Ok, this is the first I've heard that I should install... an Exchange server?!? Did I mention I've been reading and researching this for a while?!? And AD Users & C is... unsupported? What? WHAT? I can't wrap my head around MS not supporting that method. ha. 

I'm not screwing around with a server just to do that. The day I decommissioned my Exchange server was a happy day. lol So without a server, do I have to CREATE new users in ADSIEdit too?   

 

Highlighted

@AliceChained yes this is a surprise to a lot of people...basically as soon as you are syncing from on-prem AD, you have to manage email attributes in your on-prem AD (otherwise you would not be able to add secondary SMTP address for example), and currently, the only supported way of doing that is using Exchange.

 

If you do not want to do that, you can just create users in AD as normal, and us AD users & Computers (Advanced view - attribute editor) to define the SMTP addresses (in the proxyaddress attribute). Check out this page: https://docs.microsoft.com/en-gb/exchange/decommission-on-premises-exchange?redirectedfrom=MSDN

'The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported. The Exchange Management Console, the Exchange admin center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects. '