none
ADFS for Office 365 questions RRS feed

  • Question

  • Running a small shop (about 150 users), looking to migrate to Office 365,  and I was reading through the documentation, and I had some questions:

    1. Is the "federation server" referenced in Microsoft's documentation the or a domain controller? Can you run Federation Services for Active Directory on the Domain Controller? Most documentation seems to imply that the federation server is a separate host, however, office 365 wants adfs (or their connector software, to be specific) installed on a writable domain controller.

    2. Do you need a proxy server? If I have users who sometimes login from ad, them sometimes from the internet, do they need a proxy when logging in locally?

    3. How does AD for Azure and the ad connector software fit into this? If I have Ad for Azure, can that authenticate users without the need for a proxy? Locally, or on the internet? 

    4. If I install the Azure Ad connector, do I still need federation services at all? won't office 365 simply authenticate against Azure, which has the back end connection to the active directory?

    5. If I need federation services, can I install the azure connector now, setup and assign office 365 liscenses, then install adfs later and turn it on or up to do SSO externally? 

    6. if clients are authenticating locally (Against the domain controller) and I have azure ad and the connector running, do those local clients need to re-authenticate w/ office 365, or will it be "handled" by the connector/azure for them?

    Am I getting confused between what the ad connector for Azure does, and what ADFS does, as far as Office365 is concerned? I think I might be.

    Are there any step by step comprehensive walk through , instructions, or scenarios for migrating from stand alone Active Directory without federation services installed to installing Azure Ad Connector, getting the AD setup, assigning liscenses, geting adfs running for internal

    p.s. I have exactly zero dollars,and zero staff to do this. and zero test environment. 

    Wednesday, July 26, 2017 8:24 PM

Answers

  • So, If I'm reading you right, here's the plan:

    1. I install the azure ad connector on our domain controller. This copies users & passwords & such so that, inside our network, it's single sign on (they authenticate /w the ad on a joined machine, they automatically get office 365 on that machine).

    I do not recommend installing Azure AD Connect on a Domain controller. I recommend it sit on it's own VM. Once Azure AD AD Connect is in place it will synchronize users and allow for AD credentials across the board. Although if a user visits Office 365 they will require a logon.  Azure AD Connect does have a Single Sign On Feature in Preview.

    Enable Single Sign on

    This options is available with both password sync and Pass-through authentication and provides a single sign on experience for desktop users on the corporate network. See Single sign-on for more information. 
    Note for AD FS customers this option is not available because AD FS already offers the same level of single sign on.
    (if PTA is not released at the same time)

     

    2. If they want access outside our network (non-joined machine) I need adfs.  Quesiton: why can't they just go to office.microsoft.com & sign in that way? or does that require the adfs to be running?

    You do not need ADFS for someone outside to login to Office 365. If you have Azure AD Connect installed they can login with the same AD credentials. What they can't do is change passwords outside of your premises. 

    3. Once office is up, I move exchange to office365.  That's a simple (ha!) process but it's separate. Does having exhcange with local ad mess up devices like ipads? I'm assuming that activesync works with o385, and there's no authentication issues?

    Mobile devices will continue to function.

    thanks again.

    • Marked as answer by Scott Renton Friday, July 28, 2017 6:36 PM
    Thursday, July 27, 2017 3:52 PM

All replies

    1. Is the "federation server" referenced in Microsoft's documentation the or a domain controller? Can you run Federation Services for Active Directory on the Domain Controller? Most documentation seems to imply that the federation server is a separate host, however, office 365 wants adfs (or their connector software, to be specific) installed on a writable domain controller.

    Active Directory Federation Server (ADFS) is what they are referencing. It is very confusing, because there is Federation in Exchange as well. ADFS is used for Single Sign On, most small companies do not need this. If you need to use your AD credentials to login to other applications that you do need ADFS.

    If you simply want to use your AD credentials to login to the Office 365 tenant, you can simply leverage Azure AD Connect with password sync enabled also known as Same Sign On.

    1. Do you need a proxy server? If I have users who sometimes login from ad, them sometimes from the internet, do they need a proxy when logging in locally?

    The recommend configuration for ADFS is 4 servers 2 in DMZ proxy servers and 2 internal servers all load balanced.

    This link has a how to.

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/windows-server-2012-r2-ad-fs-deployment-guide

    1. How does AD for Azure and the ad connector software fit into this? If I have Ad for Azure, can that authenticate users without the need for a proxy? Locally, or on the internet? 

    Azure AD is the backend of Office 365, it’s not really Active Directory it communicated with your on premises AD via Azure AD Connect.

    1. If I install the Azure Ad connector, do I still need federation services at all? won't office 365 simply authenticate against Azure, which has the back end connection to the active directory?

    If you do not need Single Sign On you will not need ADFS.

    1. If I need federation services, can I install the azure connector now, setup and assign office 365 liscenses, then install adfs later and turn it on or up to do SSO externally? 

    Absolutley!

    1. if clients are authenticating locally (Against the domain controller) and I have azure ad and the connector running, do those local clients need to re-authenticate w/ office 365, or will it be "handled" by the connector/azure for them?

    If Azure AD Connect is in place with password sync the credentials will be the same (Same Sign On).

    Am I getting confused between what the ad connector for Azure does, and what ADFS does, as far as Office365 is concerned? I think I might be.

    It is very confusing, trust me!

    Are there any step by step comprehensive walk through , instructions, or scenarios for migrating from stand alone Active Directory without federation services installed to installing Azure Ad Connector, getting the AD setup, assigning liscenses, geting adfs running for internal

    Azure AD does not replace AD, Azure AD Connect is a facilitator between on prem AD and Azure AD.

    p.s. I have exactly zero dollars,and zero staff to do this. and zero test environment. 

    That’s ok!

    One thing I would like to add is the fact that users will not be able to change their passwords remotely unless they are on a domain joined machined and/or while on a domain joined machine with a VPN connection to the domain. Also, if you for Self-service password reset/change/unlock with write-back to on-premises directories anywhere, you will need Azure AD premium 1 and above.

    https://www.microsoft.com/en-us/cloud-platform/azure-active-directory-features

    I hope this helps and if it answers, your questions please mark appropriately.

    Thanks,

    JP

    Wednesday, July 26, 2017 10:47 PM
  • So, If I'm reading you right, here's the plan:

    1. I install the azure ad connector on our domain controller. This copies users & passwords & such so that, inside our network, it's single sign on (they authenticate /w the ad on a joined machine, they automatically get office 365 on that machine).

    2. If they want access outside our network (non-joined machine) I need adfs.  Quesiton: why can't they just go to office.microsoft.com & sign in that way? or does that require the adfs to be running?

    3. Once office is up, I move exchange to office365.  That's a simple (ha!) process but it's separate. Does having exhcange with local ad mess up devices like ipads? I'm assuming that activesync works with o385, and there's no authentication issues?

    thanks again.

    Thursday, July 27, 2017 1:23 PM
  • So, If I'm reading you right, here's the plan:

    1. I install the azure ad connector on our domain controller. This copies users & passwords & such so that, inside our network, it's single sign on (they authenticate /w the ad on a joined machine, they automatically get office 365 on that machine).

    I do not recommend installing Azure AD Connect on a Domain controller. I recommend it sit on it's own VM. Once Azure AD AD Connect is in place it will synchronize users and allow for AD credentials across the board. Although if a user visits Office 365 they will require a logon.  Azure AD Connect does have a Single Sign On Feature in Preview.

    Enable Single Sign on

    This options is available with both password sync and Pass-through authentication and provides a single sign on experience for desktop users on the corporate network. See Single sign-on for more information. 
    Note for AD FS customers this option is not available because AD FS already offers the same level of single sign on.
    (if PTA is not released at the same time)

     

    2. If they want access outside our network (non-joined machine) I need adfs.  Quesiton: why can't they just go to office.microsoft.com & sign in that way? or does that require the adfs to be running?

    You do not need ADFS for someone outside to login to Office 365. If you have Azure AD Connect installed they can login with the same AD credentials. What they can't do is change passwords outside of your premises. 

    3. Once office is up, I move exchange to office365.  That's a simple (ha!) process but it's separate. Does having exhcange with local ad mess up devices like ipads? I'm assuming that activesync works with o385, and there's no authentication issues?

    Mobile devices will continue to function.

    thanks again.

    • Marked as answer by Scott Renton Friday, July 28, 2017 6:36 PM
    Thursday, July 27, 2017 3:52 PM