SOLVED

AzureAD login and ADFS for O365 question

%3CLINGO-SUB%20id%3D%22lingo-sub-104550%22%20slang%3D%22en-US%22%3EAzureAD%20login%20and%20ADFS%20for%20O365%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104550%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20like%20to%20get%20some%20input%20on%20the%20following%20situation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20running%20a%20hybrid%20setup%20with%20ADConnect%20(password%20sync)%20and%20ADFS%20(federated%20domain%20hence).%3C%2FP%3E%3CP%3EFor%20the%20future%20we%20would%20like%20to%20have%20password%20reset%26nbsp%3Bat%20Azure%20AD%20site.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20strongly%20think%20we%20will%20need%20Azure%20Premium%20for%20the%20password%20writeback%20and%20self-service%20password%20reset.%3C%2FP%3E%3CP%3EQuestions%20that%20come%20to%20my%20mind%20are%3A%3C%2FP%3E%3CP%3E-%20preferably%20I%20would%20keep%20ADFS%20for%20inhouse%20users%20(domain%20joined%20PCs)%2C%20they%20just%20log%20onto%20the%20computer%20to%20get%20access%20to%20mail%20etc.%20Is%20that%20possible%20and%20still%20have%20Azure%20AD%20password%20management%3F%3C%2FP%3E%3CP%3E-%20how%20is%20the%20above%20influenced%20should%20we%20start%20to%20use%20Intune%20and%20join%20computers%20to%20AzureAD%20(and%20not%20to%20the%20on-premise%20AD)%3F%3C%2FP%3E%3CP%3EThanks%20for%20your%20input%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-104550%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-104683%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20login%20and%20ADFS%20for%20O365%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104683%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51472%22%20target%3D%22_blank%22%3E%40Warwick%20Ward%3C%2FA%3E%26nbsp%3Bmentioned%2C%20you%20might%20want%20to%20evaluate%20the%20use%20of%20AD%20FS%2C%20and%20I%20would%20add%20to%20that%20the%20need%20to%20purchase%20additional%20licensing.%20AD%20FS%20can%20also%20offer%20password%20reset%2Fchange%20functionality%2C%20sans%20the%20need%20for%20Azure%20AD%20Premium%20licenses.%20To%20answer%20the%20question%2C%20yes%2C%20you%20can%20have%20password%20writeback%20in%20federated%20scenarios.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPass-through%20auth%2FSSO%20can%20offer%20experience%20very%20similar%20to%20AD%20FS%2C%20without%20the%20overhead%20of%20additional%20servers.%20However%2C%20that's%20only%20relevant%20to%20O365%2C%20if%20you%20are%20using%20the%20AD%20FS%20server%20to%20fedetate%20with%20other%20parties%2C%20you%20might%20not%20be%20able%20to%20get%20similar%20experience%20with%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-104553%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20login%20and%20ADFS%20for%20O365%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104553%22%20slang%3D%22en-US%22%3EWhat's%20the%20requirement%20for%20ADFS%3F%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I'd like to get some input on the following situation.

 

We are running a hybrid setup with ADConnect (password sync) and ADFS (federated domain hence).

For the future we would like to have password reset at Azure AD site.

 

I strongly think we will need Azure Premium for the password writeback and self-service password reset.

Questions that come to my mind are:

- preferably I would keep ADFS for inhouse users (domain joined PCs), they just log onto the computer to get access to mail etc. Is that possible and still have Azure AD password management?

- how is the above influenced should we start to use Intune and join computers to AzureAD (and not to the on-premise AD)?

Thanks for your input

2 Replies
Highlighted
What's the requirement for ADFS?
Highlighted
Best Response confirmed by Martin Meraner (Occasional Contributor)
Solution

As @Warwick Ward mentioned, you might want to evaluate the use of AD FS, and I would add to that the need to purchase additional licensing. AD FS can also offer password reset/change functionality, sans the need for Azure AD Premium licenses. To answer the question, yes, you can have password writeback in federated scenarios.

 

Pass-through auth/SSO can offer experience very similar to AD FS, without the overhead of additional servers. However, that's only relevant to O365, if you are using the AD FS server to fedetate with other parties, you might not be able to get similar experience with Azure AD.