Background Currently the customer is running everything on premise ie local AD, DC, Exchange2010 and Payroll system. Customer wish to migrate their Exchange to exchange Onlne however concerned how their other existing stuff will work. Staff currently VPN into corp LAN and access their domain with their DC before authenticating via their local AD to access their payroll system. Dilemma Could AAD replace their local AD to do all above tasks? Or must Sync or federate AAD & local AD? Thank you in advance:)

Hi @Sebring · Thank you for reaching out. The recommendation is to sync the identities from On-premises AD to Azure AD first. Even for federation between AAD & local AD to work, identities must be synchronized. For payroll system, you need to first check which authentication protocols it support. If it supports modern authentication protocols, such as SAML, OAuth/OIDC etc., it can directly be federated and get authenticated with Azure AD. If it supports only the legacy authentication protocols, such as Kerberos or NTLM, you need to either keep local AD in place or choose to go with Azure AD Domain Services, which will consume the amount from your Azure Subscription. ----------------------------------------------------------------------------------------------------------- Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Hi Amanpreet, I've read thru and it makes sense now. Your info is particular important as alot of customers are now forced into a hybrid working environment due to lockdown.

Hi Amanpreet, If devices need to be hybrid joined (ie registered with AAD) then does it also require MDM (Intune or 3rd party)? Link below suggest you need MDM. https://learn.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm Many Thanks.

AAD dilemma: Replace local AD or sync/federate between local AD & AAD

Accepted answer

AmanpreetSingh-MSFT 56,306 Reputation points

2021-08-03T07:24:40.887+00:00

Hi @Sebring · Thank you for reaching out.

The recommendation is to sync the identities from On-premises AD to Azure AD first. Even for federation between AAD & local AD to work, identities must be synchronized.

For payroll system, you need to first check which authentication protocols it support. If it supports modern authentication protocols, such as SAML, OAuth/OIDC etc., it can directly be federated and get authenticated with Azure AD. If it supports only the legacy authentication protocols, such as Kerberos or NTLM, you need to either keep local AD in place or choose to go with Azure AD Domain Services, which will consume the amount from your Azure Subscription.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
AmanpreetSingh-MSFT 56,306 Reputation points

2021-08-12T07:58:28.51+00:00

Hi @Sebring · Just checking if you have any further question.

Sebring 41 Reputation points

2021-08-13T04:48:28.747+00:00

Hi Amanpreet,

Many Thanks for confirming & following up.

Their on-premise Payroll system (currently authenticated by local AD) is being migrated to cloud based Payroll system and will be authenticated by SMTP. I understand that SMTP maybe run on-premise server or provided by their telecoms carrier typically to allow fax to email (authenticate a device ie smart fax/printer).

Would know if there are better option available to SMTP authenticate users on Exchange online working from home?

AmanpreetSingh-MSFT 56,306 Reputation points

2021-08-13T08:46:58.897+00:00

@Sebring · For Exchange Online users working from home, you can enable SMTP Auth via Exchange Online by using below cmdlet:

To enable SMTP Auth for entire organization:
Set-TransportConfig -SmtpClientAuthenticationDisabled $false

To enable SMTP Auth for specific mailbox
Set-CASMailbox -Identity user@example.com -SmtpClientAuthenticationDisabled $false

Sebring 41 Reputation points

2021-08-18T06:56:28.48+00:00

Hi Amanpreet,

Got more details today. Customer will be logging into their online payroll system before sending an email from within the online payroll system. The online payroll system will reply upon the exchange online to send email to an external recipient. This is why an SMTP relay is required to authenticate & relay the email to be sent. The recipient will receive the incoming email as if it was created & sent from exchange online.

Will the SMTP enabled for specific mailbox (hence user) will support the above?

Currently the staff do not have local admin access to their PC and their local login is controlled centrally by their local AD. If the local AD is sync with the AAD then will this enable their staff to log into their PC when working at home?

If remote wish to access their local assets (file server) then would they still need to VPN into their office LAN? Is there any better way?

Thank you

AmanpreetSingh-MSFT 56,306 Reputation points

2021-08-23T09:01:57.487+00:00

Hi Sebring-0064 · Please find my comments inline.

Will the SMTP enabled for specific mailbox (hence user) will support the above?
I have never worked on such scenario, this has to be tested.

Currently the staff do not have local admin access to their PC and their local login is controlled centrally by their local AD. If the local AD is sync with the AAD then will this enable their staff to log into their PC when working at home?
Only syncing users with Azure AD won't be enough to authenticate users via AAD. The devices need to be Hybrid joined as well. Depending on whether your domain is federated or managed, follow one of the below docs:
1 - https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
2 - https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains

If remote wish to access their local assets (file server) then would they still need to VPN into their office LAN? Is there any better way?
To access any local assets hosted on-premises, VPN is required. If you just want to access file server, you may consider implementing Azure File Sync service, which configures bi-directional replication between on-premises file server and Azure file share within Azure storage account. Users can then access file share either from Azure (without VPN) or from file server (with VPN)
Sign in to comment

AAD dilemma: Replace local AD or sync/federate between local AD & AAD

2 additional answers