The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Azure AD Connect *without* single sign on or same password? RRS feed

  • Question

  • Looking to update our internal network from Win 7 Pro desktops and 2008R2 DC to Win 10 Enterprise E3 and Server 2016 DC.  I Understand we need Azure AD Connect to activate Win 10 Pro Enterprise features.

    We currently have Office365 subscriptions purely for email/calendar.  Most users access via Outlook on desktop or mobile - very few use web apps, and then only rarely.

    Our internal AD domain schema has been rolled over and upgraded for many years from NT4 > 2003 > 2008R2, and uses a different internal domain name to our email address, and users have different user names to their email address.

    As part of the upgrade I intend to set up and migrate to a fresh internal AD schema and new usernames, and logically these should match email address/domain.  Our Office365 subscription means that MS has already set up our users in Azure AD based on email addresses anyway.

    My question is if we use Azure AD Connect, is it possible to have different passwords to authenticate internally against our AD domain controller versus that used to authenticate in Office365?

    Thanks!

    Tuesday, October 8, 2019 7:56 AM

Answers

  • No issues there. You are simply changing the authentication method, not stopping authentication against Azure AD.
    • Marked as answer by Nick Baird Thursday, October 10, 2019 7:17 AM
    Wednesday, October 9, 2019 7:48 PM

All replies

  • Yes, it is perfectly possible. But rarely used, as it's confusing for the end users and will most likely result in numerous support cases.
    Tuesday, October 8, 2019 8:21 AM
  • Hi, and thanks for responding.

    By confusing for end users, do you mean the need to remember 2 passwords?

    In our case, because users rarely (if ever) log in to Office365 web apps, and the Outlook clients on desktop and mobile remember the credentials without inputting them each time, we aren't concerned about having 2 passwords.

    If it is possible to have different passwords for local AD authentication and Office365 authentication when using AD Connect, can you provide any pointers to what that set up looks like?

    Tuesday, October 8, 2019 12:07 PM
  • Yes, that's what I mean. Passwords expire or get changed, once that happens the convenience of having them stored can easily backfire.

    As for configuring it, simply select "Do not configure" on the User sign-in page of the setup wizard: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom#user-sign-in

    Tuesday, October 8, 2019 5:50 PM
  • Thanks very much for your help.  Are you able to confirm that if we use that set up without password syncing, then Enterprise features will still be activated for that user (if licensed)?

    Wednesday, October 9, 2019 7:46 AM
  • Not sure what you mean by "enterprise features". Office 365 services will work just fine.
    Wednesday, October 9, 2019 8:06 AM
  • We want to deploy Windows 10 Enterprise E3.  I understand this required desktops with Windows 10 Pro first, and then a subscription to Enterprise E3.  The subscription is activated when the user authenticates against Azure AD, in this case via AD Connect as we will have an on-premises active directory domain controller.
    Wednesday, October 9, 2019 8:20 AM
  • No issues there. You are simply changing the authentication method, not stopping authentication against Azure AD.
    • Marked as answer by Nick Baird Thursday, October 10, 2019 7:17 AM
    Wednesday, October 9, 2019 7:48 PM
  • Thanks!
    Thursday, October 10, 2019 7:18 AM