Forum Discussion

JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Feb 23, 2021

Hybrid Azure AD Join (with ADFS present) question about SCP

Configure hybrid Azure Active Directory join for federated domains | Microsoft Docs   The article above has got me curious and I can't find an answer to my questions.  I've also opened an issue on ...
Azure Active Directory (AAD)
microsoft intune
JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Apr 12, 2021
Bump... Also I'll simply ask - what exactly is "Authentication Service", and where does this chosen value from the AAD Connect config wizard translate to in actual configuration? I don't see any sign of the chose Authentication Service within the SCP object itself. I also see no mention of "Authentication Service" in any of the functions included with the various PS modules packaged with AAD Connect.

This topic that is the "Authentication Service" is truly mysterious.
yavordanev's avatar
yavordanev
Copper Contributor
Apr 21, 2021

JeremyTBradshaw 
I agree it's somewhat convoluted and I can't answer all of your questions but in terms of the authentication service, this is my understanding - think of how a user authenticates when logging into a laptop let's say - is it against a domain controller or Azure AD? Since we're talking about Hybrid Azure AD Join, Azure AD Connect, etc. I'm assuming in your case it's the first and you're dealing with a federated domain so the authentication service would be your ADFS server. Similarly, when you log into portal.office.com or portal.azure.com etc. and enter mailto:myname@myfederateddomain.xyz Microsoft will recognize the domain is federated and send you to your ADFS server to enter your credentials. If you were logging in as mailto:myname@mycompany.onmicrosoft.com,then authentication would happen on Microsoft's end in Azure AD and that would be your authentication service.
As to Seamless SSO in the context of Hybrid Azure AD Join and Windows 10, please note this bit from the docs:
"For Windows 10, Windows Server 2016 and later versions, it’s recommended to use SSO via primary refresh token (PRT).
Seamless SSO needs the user's device to be domain-joined, but it is not used on Windows 10 Azure AD joined devices or hybrid Azure AD joined devices. SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices works based on the Primary Refresh Token (PRT)"
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

  • JeremyTBradshaw's avatar
    JeremyTBradshaw
    Iron Contributor
    Apr 28, 2021
    Thanks for the response. I guess I'm not getting any clarity still though about the docs article and the guidance on when vs when not to set the authentication service to adfs. By your description, and otherwise what makes sense, it seems if your O365 domains are federated then you should set it to adfs. The other points (in the article, same section/paragraph) are like misplaced noise adding nothing by confusion.

    Regarding Seamless SSO, I know that hybrid Azure AD joined devices still do in fact honor Internet Options' Automatic Logon to Intranet sites if that option is enabled and the Azure AD fqdn is added into the Intranet zone. So it's again, sort of like a partial statement with some validity but without being a better document is just plain confusing and not making any sense, at least not fully.
    • Karim Zaki's avatar
      Karim Zaki
      Brass Contributor
      Nov 04, 2021
      Git hub answered your thread i saw it
      They say you can choose either ADFS or azure ad
      But when choosing Azure Ad remember to add the OU of requires computers
      • JeremyTBradshaw's avatar
        JeremyTBradshaw
        Iron Contributor
        Nov 04, 2021

        Karim Zaki Thanks for reminding me to update this thread.  Yes they did answer me in my GitHub issue, which is here.

         

        But the explanation is a little more detailed than just that we need to sync the OU where the devices sit if/when we choose Azure AD as the Authentication Service.

         

        The answer is that when we have ADFS in use / domains are federated in our O365 tenant, then we can pick either option in AAD Connect for the Authentication Service.  Both will work.  BUT, when you choose Azure AD, A) you have to make sure you sync the OU where the devices are, and B) you should expect a delay for Hybrid Azure AD Join process to be fully complete and reflect in Azure AD, and this is due to having to wait for the AAD Connect sync interval to take place.

         

        When you choose ADFS instead, the syncing of the OU where the devices are isn't required, because the registered devices will be registered in ADFS/on-premises AD, and so there is no sync delay before the Hybrid Azure AD Join state can be satisfied.

         

        Quoted directly from the GitHub issue, here was my final confirmed explanation, which they confirmed as correct:

         

        to confirm I understand this correctly, customers with federated identity can set the SCP to either ADFS or AAD, but the ADFS option is the one that circumvents the AAD Connect sync delay. If the sync delay is not a concern, those federated customers can instead set the SCP to AAD.

        Sound correct? And thanks for coming back to this issue.

         

        It's still a little fuzzy for me as to what would be smarter/smartest to advise a customer to go with, but I will say, I would advise against ADFS in favor of federating directly with Azure AD (i.e., setup single sign-on for Azure AD apps).  This opinion is based on the simplicity of Azure AD alone vs Azure AD + ADFS, which continually gets more and more complicated as new things get invented.

Resources