Remove From My Forums

Using O365 with on-prem AD

Question
0

Sign in to vote

Hi All,

We already have an O365 subscription for mailboxes of our organisation with out any On-premises AD. Now we are planning to setup an on-prem AD and sync the O365 with the on-prem also having SSO. My questions are as below:

1. What would be the best approach to achieve this. Do we have to use DirSync and ADFS both for this scenario.

2. Using Federated identity, the authority is still with on-prem AD, in this case what would happen to O365 if on-prem AD is down or the staff is outside of the organisation.

3. Can we have authority both the sides.

Thanks,

Max

Friday, February 9, 2018 6:52 AM

Answers

0

Sign in to vote
Although you can use "@domain.onmicrosoft.com" for your users, ideally, you would register your own "custom" domain in Azure AD.

It doesn't matter where the user is. It will always have access to Azure AD workloads (authentication and applications such as Office 365). If you want to block or restrict certain type of signin, or application, have a look at Azure AD Conditional Access Policies: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, March 6, 2018 6:59 PM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Thursday, April 26, 2018 12:29 PM
Monday, February 26, 2018 2:54 PM

All replies

2

Sign in to vote
DirSync is depracated. Use AAD Connect.

Two scenarios:

Just AAD Connect = Same Sign On. Have to log in again with same credentials
AAD Connect + ADFS = Single Sign On

If ADFS is down you need to cancel the federation sign-on so you can login directly to Azure AD.
Friday, February 9, 2018 7:51 AM
0

Sign in to vote

Thanks for your reply,

But I want to know the best approach to achieve this.

1. I want to know on how to create a single account for my existing users since their domain is "@domain.onmicrosoft.com" while my new domain on on prem will be difference.

2. What would happen if the user is outside the corporate network. Does he need to connect to the VPN to sign in to Office365 since the authority will be with on prem AD.

Thanks

Thursday, February 22, 2018 2:43 AM
0

Sign in to vote
Although you can use "@domain.onmicrosoft.com" for your users, ideally, you would register your own "custom" domain in Azure AD.

It doesn't matter where the user is. It will always have access to Azure AD workloads (authentication and applications such as Office 365). If you want to block or restrict certain type of signin, or application, have a look at Azure AD Conditional Access Policies: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, March 6, 2018 6:59 PM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Thursday, April 26, 2018 12:29 PM
Monday, February 26, 2018 2:54 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Using O365 with on-prem AD

Question

Answers

All replies