locked
On premis ADDS & O365 Integration path... RRS feed

  • Question

  • Hi All,

    Small business client already has a fully functioning O365 tenant with email in the MS cloud.

    I would like to deploy on-prem ADDS for security reasons but need to ensure an SSO experience between on-prem and O365 Azure AD tenant. Business has 5 permanent home users.

    My plan after some investigation is...

    1. Build an on-prem abc.com domain controller (they have VLC licensing for Server 2016 Std.)
    2. Create AD users
    3. Install Azure AD connect
    4. Setup directory sync, using pass through authentication with the UserPrincipalName.

    Will this work? Will the directory sync seamlessly tie up the on-prem users with the corresponding Azure AD users and mailboxes? 


    • Edited by durrie Thursday, February 28, 2019 1:30 PM
    Thursday, February 28, 2019 1:29 PM

Answers

  • Well how do you apply managing them via group policies if they never connect to the corporate network after the initial setup? :) Might want to look into some of the cloud-based management tools instead, Microsoft's offer for that is Intune.
    • Marked as answer by durrie Friday, March 8, 2019 12:31 PM
    Wednesday, March 6, 2019 7:36 PM

All replies

  • Seamless SSO experience is only possible from domain-joined devices, the home users will have to VPN in. Plus, PTA on its own doesn't offers seamless SSO, for that you will have to deploy AAD Connect SSO (smart links as well if you want to make it truly seamless).
    • Proposed as answer by Niko.Cheng Friday, March 1, 2019 8:52 AM
    Thursday, February 28, 2019 7:10 PM
  • Hi durrie,

    Agree with Vasil. Azure AD Seamless SSO automatically signs users in  when they are on their PCs or devices that are connected to their organization network. 

    Details see: Azure Active Directory Seamless Single Sign-On


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 1, 2019 9:00 AM
  • Hi Vasil,

    Thank you for the help, my plan is coming together...

    1. Build an on-prem abc.com domain controller using Server 2016 Std.
    2. Create AD users on-premise
    3. Install Azure AD connect on DC
    4. Setup - "Azure Active Directory Seamless Single Sign On" - E.g... https://youtu.be/PyeAC85Gm7w
    5. Domain Join ALL users PCs & laptops while on-premise
    6. Setup PC & Laptop user profiles and Outlook Profiles while on-premise

    My core question still remains unanswered in my head...

    During step 6 - client side configuration on-premise - will "AAD SSSO" seamlessly tie together my on-premise AD user accounts with the O365 Azure AD tenant user accounts, with Outlook autodiscovery etc, so that my users have one password for everything?

    And then...when I send the home users home again...now that they would be using "AAS SSSO" with logon creds stored on-premise...

    Will they be able to reset expired passwords using 'AAS SSSO" or will they need to VPN into the office to get a direct connection to the on-premise ADDS where their creds actually reside as I understand it?


    • Edited by durrie Friday, March 1, 2019 1:06 PM
    Friday, March 1, 2019 1:01 PM
  • Thanks  Niko,

    My plan was definitely to get home users to bring their devices into the office for direct domain joining and initial profile setup.

    Once Azure AD Seamless SSO is configured and their devices and profiles are successfully configured on-premise...when they go home again...

    After their passwords expire due to GPO password settings in the on-premise AD, does Azure AD Seamless SSO allow them to 'seamlessly' change their passwords on both their user and machine accounts?

    Or will they still need to come in or VPN connect to have the password change sync to their machine account to maintain the true SSO experiance? 

    Friday, March 1, 2019 1:13 PM
  • They will need to VPN. Perhaps a better solution for your scenario will be to join the devices to Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
    Friday, March 1, 2019 8:10 PM
  • Thanks Vasil you have been a HUGE help...I think I am 98% there now after reading the links you sent.

    One last question if I may!?

    Surely I would be better off getting ALL devices onsite configuring Hybrid Azure AD joined devices...as I understand it from the literature...!?

    Hybrid Azure Ad joined devices = On-Prem AD joined + Automatically Azure AD registered devices.

    This would allow me to manage home users via group policy and other on-prem AD tools as if they are "remotely connected" on-prem AD devices - correct???

    Wednesday, March 6, 2019 3:38 PM
  • Well how do you apply managing them via group policies if they never connect to the corporate network after the initial setup? :) Might want to look into some of the cloud-based management tools instead, Microsoft's offer for that is Intune.
    • Marked as answer by durrie Friday, March 8, 2019 12:31 PM
    Wednesday, March 6, 2019 7:36 PM
  • Crisis, this just keeps going...thanks for your help Vasil. I think I have enough info to go on now!

    Friday, March 8, 2019 12:33 PM