locked
AD FS and AD Connect RRS feed

  • Question

  • Hi, we are currenty migrating users to Office 365 via AD sync/AD Connect. We are planning on implementing AFS to block access to office 365 from outaide the corporate network. Are their any known risk involved connecting ADFS to Office 365  while migration of users are in thr process? Thanks.
    Wednesday, July 3, 2019 4:04 AM

Answers

  • No, there is not "risk" involved with connecting ADFS to Office 365.

    Here is a step-by-step blog by Rhoderick Milne on How to Install ADFS for Office 365

    Wednesday, July 3, 2019 8:47 AM
  • Hi James

    My take on this is that the risk is in managing the transition and understanding what is happening at each stage. Fire up a test tenant and test ADFS and go through your transition steps and get familiar with the process. Also make sure you have your back out plan tested and understand what you need to do to get back to where you are now. If you are sync'ing password hash, you can use set-msolDomainAuthentication to flick back to managed domain. If not you are looking at convert-MsolDomainToStandard or using AD Connect.

    The technical act of going from a Managed Domain to a federated domain is a well trodden path, as is going from a Federated domain to a Managed Domain. Assuming all of your pre-requisites are good and AD FS is set up correctly, UPN's are good etc etc. then it will work. 

    From a user perspective, when you change to a federated domain, they will see a different login process and will be referred to your on-prem AD FS. So there is potentially a communication/timing aspect to this as well. 

    From an AD Connect perspective, it will continue to Sync your users with it's existing settings and this will not be affected just by changing the Azure Domain authentication method which can be done independently. From an AD Connect perspective it sets the domain authentication type when the wizard is run and the option is changed.

    What would affect things is if you ran the AD Connect wizard again setting different sync options to the first time it was run. Or ran it again setting password hash/passthrough/Seamless and not AD FS after the transition.

    As always the devil is in the detail.... so I recommend having a play in a test environment. It is a day well spent. 

    I am sure you will have considered this already, but I just wanted to make sure you have considered Conditional Access within Azure which could potentially meet your needs for blocking out of office located users. There are some compelling reasons to use Managed with Conditional Access if it can meet your requirements. Not least because you don't need to manage your own AD FS. 

    Cheers

    Jody


    • Marked as answer by James Escober Thursday, July 4, 2019 5:52 AM
    Wednesday, July 3, 2019 12:57 PM

All replies

  • No, there is not "risk" involved with connecting ADFS to Office 365.

    Here is a step-by-step blog by Rhoderick Milne on How to Install ADFS for Office 365

    Wednesday, July 3, 2019 8:47 AM
  • Hi Neelesh, migration of users to Office 365 are in the process via AD sync/AD connect. Can we still connect ADFS to Office 365 while migration is ongoing? Connecting ADFS to Office 365 will convert the domain to a federated domain. Will this not have an impact to the ongoing migration since AD Connect synchronization (Password Hash) is a managed authentication thus an Office 365 manage domain. Thanks
    Wednesday, July 3, 2019 9:22 AM
  • Hi James

    My take on this is that the risk is in managing the transition and understanding what is happening at each stage. Fire up a test tenant and test ADFS and go through your transition steps and get familiar with the process. Also make sure you have your back out plan tested and understand what you need to do to get back to where you are now. If you are sync'ing password hash, you can use set-msolDomainAuthentication to flick back to managed domain. If not you are looking at convert-MsolDomainToStandard or using AD Connect.

    The technical act of going from a Managed Domain to a federated domain is a well trodden path, as is going from a Federated domain to a Managed Domain. Assuming all of your pre-requisites are good and AD FS is set up correctly, UPN's are good etc etc. then it will work. 

    From a user perspective, when you change to a federated domain, they will see a different login process and will be referred to your on-prem AD FS. So there is potentially a communication/timing aspect to this as well. 

    From an AD Connect perspective, it will continue to Sync your users with it's existing settings and this will not be affected just by changing the Azure Domain authentication method which can be done independently. From an AD Connect perspective it sets the domain authentication type when the wizard is run and the option is changed.

    What would affect things is if you ran the AD Connect wizard again setting different sync options to the first time it was run. Or ran it again setting password hash/passthrough/Seamless and not AD FS after the transition.

    As always the devil is in the detail.... so I recommend having a play in a test environment. It is a day well spent. 

    I am sure you will have considered this already, but I just wanted to make sure you have considered Conditional Access within Azure which could potentially meet your needs for blocking out of office located users. There are some compelling reasons to use Managed with Conditional Access if it can meet your requirements. Not least because you don't need to manage your own AD FS. 

    Cheers

    Jody


    • Marked as answer by James Escober Thursday, July 4, 2019 5:52 AM
    Wednesday, July 3, 2019 12:57 PM