locked
AD FS with on-premise clarification! RRS feed

  • Question

  • Hi All,

    I was going through the documentation for AADConnect tool and came to know that AADConnect supports AD FS & also understood that in the case AD FS (using AADConnect) user identities will be synced between On-premise AD and cloud (please correct me if i am wrong here).

    If we can authenticate a cloud web app using the on-premise AD & AD FS as per the link given below,  https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-dotnet-lob-application-adfs (without any syncing & AADConnect), please help me understand the scenarios where we will need to install AADConnect on-premise and use it with AD FS identity syncing. 

    Regards
    Kiran...


    • Edited by Kiran.tsp Monday, July 3, 2017 1:15 PM
    Monday, July 3, 2017 1:12 PM

Answers

  • If we can authenticate a cloud web app using the on-premise AD & AD FS as per the link given below,  https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-dotnet-lob-application-adfs (without any syncing & AADConnect), please help me understand the scenarios where we will need to install AADConnect on-premise and use it with AD FS identity syncing. 

    In the scenario you linked to, the cloud web app runs in Azure Infrastructure-as-a-Service and leverages claims-based authentication to flow authentication requests over the Internet, instead of flowing legacy authentication protocols through VPN tunnels. One of the things it has in common with Azure AD is the claims-based authentication part, but the rest of the solution is entirely different.

    Now, Azure Active Directory is not Azure Infrastructure-as-a-Service (IaaS). (Yes, it can be used in Azure IaaS to delegate granular permissions over resource(group)s and Azure AD DS mimics most of the AD DS functionality as-a-Service).

    Instead Azure Active Directory is an Identity Management-as-a-Service solution, that allows you to:

    • Create Single Sign-On (SSO) functionality towards Microsoft Online (MSOL) services and 2800+ 3rd party apps, based on claims-based authentication to Azure AD, and beyond (as in: to AD DS through Azure AD Connect sync in four scenarios, including the one that features AD FS) 
    • Allow Self-service password reset and Self-service group management
    • Provide hosted Identity Protection
    • etc.

    In order to offer all this functionality, Azure AD needs to know about your organization's preferences. Azure AD Connect is the ideal way to let Azure AD know about your organization's users, groups and devices. Choosing one of the above four authentication mechanisms is one of them.

    I was going through the documentation for AADConnect tool and came to know that AADConnect supports AD FS & also understood that in the case AD FS (using AADConnect) user identities will be synced between On-premise AD and cloud (please correct me if i am wrong here).

    Basically, Azure AD Connect allows Azure AD and your on-premises Active Directory Domain Services (AD DS) environment to act as 'one Active Directory'.

    Monday, July 3, 2017 9:12 PM
  • It´s all about choices :)

    Yes, if you have a custom cloud app hosted somewhere you can skip Azure AD altogether if you like.

    If you want to use Office 365 and third-party apps that integrate with AAD you will probably want to install AAD Connect.

    But even if you install AAD Connect, and have a replica in AAD, you can have your custom app integrate with ADFS directly.

    I highly recommend using OAuth and OpenID Connect in your app though; since both ADFS and AAD supports it switching between them is fairly easy.

    If you want to take it to the next level you can integrate your app with Azure AD B2C, add ADFS and/or AAD, and switch without changing things in your app.

    So there really is plenty of choices, and it´s up to you which direction you want to take it :)

    • Marked as answer by Kiran.tsp Wednesday, July 5, 2017 8:30 AM
    Tuesday, July 4, 2017 1:11 PM

All replies

  • If we can authenticate a cloud web app using the on-premise AD & AD FS as per the link given below,  https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-dotnet-lob-application-adfs (without any syncing & AADConnect), please help me understand the scenarios where we will need to install AADConnect on-premise and use it with AD FS identity syncing. 

    In the scenario you linked to, the cloud web app runs in Azure Infrastructure-as-a-Service and leverages claims-based authentication to flow authentication requests over the Internet, instead of flowing legacy authentication protocols through VPN tunnels. One of the things it has in common with Azure AD is the claims-based authentication part, but the rest of the solution is entirely different.

    Now, Azure Active Directory is not Azure Infrastructure-as-a-Service (IaaS). (Yes, it can be used in Azure IaaS to delegate granular permissions over resource(group)s and Azure AD DS mimics most of the AD DS functionality as-a-Service).

    Instead Azure Active Directory is an Identity Management-as-a-Service solution, that allows you to:

    • Create Single Sign-On (SSO) functionality towards Microsoft Online (MSOL) services and 2800+ 3rd party apps, based on claims-based authentication to Azure AD, and beyond (as in: to AD DS through Azure AD Connect sync in four scenarios, including the one that features AD FS) 
    • Allow Self-service password reset and Self-service group management
    • Provide hosted Identity Protection
    • etc.

    In order to offer all this functionality, Azure AD needs to know about your organization's preferences. Azure AD Connect is the ideal way to let Azure AD know about your organization's users, groups and devices. Choosing one of the above four authentication mechanisms is one of them.

    I was going through the documentation for AADConnect tool and came to know that AADConnect supports AD FS & also understood that in the case AD FS (using AADConnect) user identities will be synced between On-premise AD and cloud (please correct me if i am wrong here).

    Basically, Azure AD Connect allows Azure AD and your on-premises Active Directory Domain Services (AD DS) environment to act as 'one Active Directory'.

    Monday, July 3, 2017 9:12 PM
  • Hi Sander,

    Thank you very much for providing the detailed clarification. After going through your response, my understanding is as below, please confirm if it's correct: 

    If my only purpose is to establish SSO between a custom web-app hosted on-premise (authenticated against on-premise AD by providing credentials) & cloud app (another custom web-app hosted on cloud;to be authenticated against on-premise AD, using same creds without re-entering), i will be able to achieve it by configuring the custom cloud-app as a relying party on the on-premise AD FS (as mentioned in the link: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-dotnet-lob-application-adfs) without using AAD Connect & identity syncing...

    But if i want to have other features that i have mentioned below, we need to have AADConnect ADFS using identity syncing...
    - To establish SSO between a custom web-app hosted on-premise (authenticated against on-premise AD by providing credentials) & then navigate to Office 365/other MSOL services without entering creds again (or) vice-versa by first accessing Office 365/MSOL by entering creds & then navigate to custom web-app without re-entering creds.
    - Other cases that you mentioned in your response (like SSPR, self-service group management, hosted identity protection, etc..)

    Regards
    Kiran...


    Tuesday, July 4, 2017 8:28 AM
  • It´s all about choices :)

    Yes, if you have a custom cloud app hosted somewhere you can skip Azure AD altogether if you like.

    If you want to use Office 365 and third-party apps that integrate with AAD you will probably want to install AAD Connect.

    But even if you install AAD Connect, and have a replica in AAD, you can have your custom app integrate with ADFS directly.

    I highly recommend using OAuth and OpenID Connect in your app though; since both ADFS and AAD supports it switching between them is fairly easy.

    If you want to take it to the next level you can integrate your app with Azure AD B2C, add ADFS and/or AAD, and switch without changing things in your app.

    So there really is plenty of choices, and it´s up to you which direction you want to take it :)

    • Marked as answer by Kiran.tsp Wednesday, July 5, 2017 8:30 AM
    Tuesday, July 4, 2017 1:11 PM
  • Hi Andreas, thank you for clarifying on the choices :)
    Wednesday, July 5, 2017 8:30 AM