Azure AD - ADFS accounts without synchronization

Copper Contributor

Hello guys,

Couple of simple (I hope) questions:

- is it possible to authenticate users through on-premise ADFS server in Azure without actually importing users to the Azure AD? Or the user always has to be imported because only then he gets Azure Id and can use Azure resources? 

- is there any option except Azure AD Connect to establish connection between ADFS server and Azure AD (so ADFS users can be authenticated)? The thing is that I don't have access to physical ADFS server, so I cannot install Azure AD Connect there.

Regards and thanks!

Tomasz

5 Replies

@zielonywojo 

 

Hi, you will need Azure AD Connect in order for this to work and have the users visible in Azure AD.  Check out - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-whatis

 

The AADC server does not have to be on the same server as AD FS though.

@PeterRising so if I got that right - I may install and run Azure AD Connect on different machine and use it only for account synchronization, correct? This sounds promising. 

About user synchronization - I was kind of hoping it won't be needed to import all these users (it's around 5k in this particular case) to AAD, I'm worried a bit about that (it could be a nightmare in terms of management).

Thanks for quick answer!

Regards

Tomasz

 

@zielonywojo 

 

Yep, that's right.  AADC can be run on a different machine.  You'd need to run a custom installation and choose the option of Federation with AD FS as shown below.

 

Screenshot 2020-12-29 at 21.03.06.png

 

Question though - do you really need AD FS for O365?  Could you not go for Password Hash Sync or Pass through authentication instead?

@PeterRising 

The scenario here is that we have many users being in multiple external on-premises ADs. These on-premises ADs are gathered together in one master AD FS server and this is actually the only option from my point of view. The goal is to make it possible for these users to login to our App Service web app which we host in Azure. The requirement is to have SSO for these users, so they can reuse their domain accounts.

Regards

Tomasz

@zielonywojo 

 

I see, so no small task moving away from AD FS then.  I get it.