Azure AD hybrid join computer

Question

Hi All,

We are now configured AADC to sync on-prem AD object to O365 with ADFS for federation and access control.

We are planning to dismiss the ADFS and migrate to Azure AD conditional access and keep AADC to sync on-prem AD object / password hash to O365.

1 of the Azure AD conditional access condition should be only allow domain joined computer, which need Azure AD hybrid join as I know.

During the migration, I am thinking if Azure AD hybrid join can point to Azure AD directly instead of ADFS so that we can test and finally dismiss the ADFS?

From Microsoft document for Configure hybrid Azure Active Directory join for Federated domain: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Select the authentication service. You must select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync, or your organization uses seamless SSO.

Seems like i can select Azure AD for the authentication service instead of ADFS.

Thanks,
Roy

Answer 1

Hello @roy lee ,

Yes , You can use Azure AD for authentication directly . You can setup Password Hash sync and Seamless SSO and you can get all the benefits of single sign-on without ADFS . while configuring the User sign-in you can configure it with Password hash sync and tick the checkbox called enable single sign-on

The above would work for setting up seamless SSO . But this setup without ADFS works best if you have all windows 10 devices with latest updates. You should make sure that If you have any application in your on-premise which depends on ADFS for authentication then you would need to migrate them to the cloud or use Azure AD application proxy for the same. The application migration for any app that was dependent on ADFS would need to be checked and applications updated accordingly. even though Azure AD supports all the auth protocols as ADFS , you may need to make some changes in the application code before migration. Any application which works on legacy protocols like Kerberos , NTLM in your local on-premise environment will continue to be accessed in same way as they will require you to make sure that the application has a line of sight AD domain controller for authentication.

If all your applications are already in azure and use azure AD for identity authentication/authorization and you have all clients as windows 10 (latest) hybrid azure AD joined then you do not need to worry about at all while removing ADFS. You can use the AD connect to setup PHS as well as seamless SSO by checking that option of enable Single sign-on . We have a great article for migrating from federation to Password hash sync for Azure AD which explains it all with all pre-requisites. In case you have any managed domains then you can setup hybrid Azure AD join for them as well. Please go through the articles and I am sure you will be able to plan your migration to Azure AD from ADFS better.

Hope the above clarifies your query and answers your doubts. If the information provided in the answer helps you , please do accept it as answer so that it increases the relevancy of the answer and it is easily found by community members searching for similar issues.

Thank you.

Answer 2

Hi shashishailaj,

Any idea about my comment on your answer.

Thanks,
Roy

Answer 3

Hi shashishailaj,

Thanks. According to your screen, seems like it switch from ADFS to PasswordHash direct.

But I would like to know if it's possible to keep Office 365 authenticate by ADFS while make Azure AD hybrid join computer point to Azure directly? As it has option to point to Azure AD or ADFS when configure Hybrid azure AD join.

So that I do Azure AD hybrid domain join gradually and make sure all my domain computers finished Azure AD hybrid join, then I can switch from ADFS authenticate and access control to Azure AD authenticate with passwordhash sync and conditional access.

Thanks,
Roy