Do I need ADFS with a single UPN but two eMail domains in Office365? RRS feed

  • Question

  • Hi Community,

    We have a current setup with ADFS 2.0 and latest AzureAD Connect on 2008R2.

    We have 2 email domains in Office365 (firm.com and company.com). Internal domain is business.internal.

    Our UPN in AD is set only to user@firm.com. This is also what the users use to login to their desktop or emails. So far we use only emails and Office2016.

    Of course they are still able to receive emails on user@company.com but this is not being used for logins.

    I have deployed AZURE AD Connect (in staging mode) on a new 2016 server and wonder if I really need to install/keep the ADFS setup?

    AzureAD config allows to setup Pass-Through authentication with ENABLE SingleSignOn and this article says that Seamless SSO does not apply to ADFS. https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso


    • Edited by MartyWalty Thursday, May 24, 2018 9:50 PM
    Thursday, May 24, 2018 9:38 PM

All replies

  • Hi Marty,

    Azure AD PTA is an alternative to using AD FS. It's based on a design premise that the cloud identity becomes the dominant identity rather than the corporate one with AD FS and you authenticate against Azure AD primarily and then against your corporate one, animated courtesy of Kerberos delegation. Whether you should or should not opt to embrace this solution is not a simple answer. For example, you've highlighted that you use AD FS 2.0, meaning that you've not updated your AD FS configuration for a number of years.  Depending on a given point-of-view, one might take that as being:

    (a) your organization likes to make big jumps infrequently every few years and are technically aggressive when those jumps happen; ergo PTA might be a good solution

    (b) Conversely, the fact that you are using AD FS is 2.0 / 2008 R2 might suggest that the company is traditional, not technically aggressive and this cloud thing, Office 365 notwithstanding, is all a bit new

    (c) somewhere in-between or some other reason that my lack of imagination couldn't come up with :)

    Should you wish to move towards the Identity-as-a-Service concept that Microsoft offer, understand that there are numerous benefits that this brings to the plate and, of course, some limitations.  It's incumbent on you to work out what those things are and consider are whether you or your organization/security team are ready to move in that direction. 


    Thursday, May 24, 2018 10:44 PM
  • Thanks for your quick reply.

    As you said it is an alternative to ADFS so I understand I could drop the ADFS setup and just go with AzureAD PTA+SSO?

    Please correct me if I am wrong as we only have 1 domain UPN for authentication to O365 and license for Office2016 ADFS is not required here anyway?

    I believe the reason in regards to ADFS2.0 for a long time was "its working, why change it". But moving forward I would like to simplify the setup and use latest technology. Also pass-through and SSO is not supported on 2008R2.

    Someone told me that if you have 2 domains you need ADFS but apparently this is not the case anymore with AzureAD+PTA+SSO?

    Thursday, May 24, 2018 11:08 PM