none
ADFS with office 365 RRS feed

  • Question

  • When we are using ADFS with Office 365 or any other cloud based application, is it necessary to sync the user accounts to Azure AD? 
    Since the authentication will happen on premises, is it required to sync the on-premises users to Azure, or we can use SSO without syncing users to Azure AD?
    Also while setting up SSO using ADFS, it is mandatory to exchange certificates between the account partner organization and the resource partner organization or just metadata needs to be exchanged?
    • Edited by Admin55 Wednesday, October 24, 2018 8:01 AM format
    Wednesday, October 24, 2018 8:00 AM

All replies

  • Yes. Office 365 workload do not have access to your on-prem directory. The only way for them to know your users exist is to sync them to a directory THEY can access. That's why you sync your users. 

    And if you want to use the federated model, yes you have to manage certs. The metadata file contains the actual cert (in base64). 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 24, 2018 4:29 PM
    Owner
  • Hi

    When we are using ADFS with Office 365 or any other cloud based application, is it necessary to sync the user accounts to Azure AD? 

    For Office yes, you have to sync users to Azure AD.

    Since the authentication will happen on premises, is it required to sync the on-premises users to Azure, or we can use SSO without syncing users to Azure AD?

    It depend of application settings hosted in the cloud.   ADFS should be enough to set up SSO and force authentication on you local AD (on-premise). But some application requires synchronization of some attribute from local AD to Azure AD

    Also while setting up SSO using ADFS, it is mandatory to exchange certificates between the account partner organization and the resource partner organization or just metadata needs to be exchanged?

    Yes, if you want to deploy ADFS, you should setup certificates between the account partner and resource partner.

    Please read the link below to get more details :

    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Wednesday, October 24, 2018 6:21 PM
  • Thanks for the reply. However since ADFS works on claims and one of the advantages of ADFS is that you do not need to provision accounts in the resource partner organization, then why for office365 we need to sync the users to Azure AD? Is there not an ADFS server kind of functionality in office 365, which can accept claims from the account partner organization?

    Any other example of application or cloud based solutions where we can leverage single sign on using ADFS  without having to sync the users?

    Thursday, October 25, 2018 12:01 AM
  • Any update on the above query?
    Monday, October 29, 2018 3:04 PM
  • An Azure AD can "trust" another Azure AD. Have a look there: https://docs.microsoft.com/en-us/azure/active-directory/b2b/faq

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, October 29, 2018 5:56 PM
    Owner
  • Basically, what I want to understand is that why do we need to sync users to Azure AD, when using ADFS for office 365.One of the advantages of ADFS is that you don't need to provision accounts in the resource partner organization and also since the authentication is happening on-premises?
    Tuesday, October 30, 2018 7:18 AM