Both federation and PTA are domain-wide features, so they generally apply to all users. There's however a preview of the so-called "staged rollout" feature, which allows you to switch just some users from federation to other auth types. Read here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout
Mix ADFS and Azure AD for authentication
Hi We use ADFS 3.0 for O365 and some 3rd party web / apps. Now we're implementing a new website. My original idea was to just add it to our ADFS but now the project has decided that it need 2FA. In the future I see all our apps authenticate in Azure AD but I can't move them right now. There fore I'd prefer to keep current apps in ADFS but add the new app to Azure AD with PTA and MFA. Can I some how use Azure AD for authentication on my new app and still authenticate O365 in ADFS? //Johan
2 answers
Sort by: Newest
-
-
AmanpreetSingh-MSFT 56,306 Reputation points
2019-12-16T16:16:45.283+00:00 @JFH Yes, you can do that. If you have O365 federated with ADFS and you federate an application with Azure AD, the authentication flow would be:
- User accesses the application which is federated to Azure AD.
- Application will redirect to Azure AD authentication endpoint (https://login.microsoftonline.com) for authentication.
- User will be prompted for credentials.
- Based on the UPN suffix (If the domain is federated with ADFS), user will be redirected to ADFS.
- ADFS will authenticate the user and issue a WS-Fed token to Azure AD.
- Azure AD will receive the token and issue a SAML token to the application.
- User will finally get access to application.
-----------------------------------------------------------------------------------------------------------
Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.