Changing SSO authentication method from ADFS to ADConnect

Question

Hi,

today I have a server with the ADFS function that is used for SSO authentication for the O365 service.

We have ADConnect to synchronize users.

I need:

1 - Change the configuration so that SSO does not use ADFS and I know that ADConnect in the latest versions has this possibility.

doubt:

• When changing the ADConnect configuration, 0365 will no longer use ADFS authentication and will use direct authentication with ADConnect using the Internet (https). Am I right?
• Do I need to publish ADConnect for internet?
• I have one domain (root) and one (child domain) and I need the users that use 0365 to authenticate in the services using the credentials of the child domain. Some problem?

Thank you.

Answer 1

Well, there is no direct authentication with AADConnect. You authenticate with Azure. ( and no, publishing of the AADConnect server on the internet is not required)
When you transition from a federated to managed scenario using SSO/PHS, you are setting AADConnect to handle the PHS and SSO configuration, not so you can authenticate to AADConnect.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync

Answer 2

I think you are referring to the Pass Through Agent? That's different from the PHS/SSO solution:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start

If you want objects in the child domains to use PHS and authenticate against Azure, then, yes, you will need to ensure they are synced as well. Hope that helps.