question

roylee-9083 avatar image
0 Votes"
roylee-9083 asked ·

Azure AD hybrid join computer

Hi All,

We are now configured AADC to sync on-prem AD object to O365 with ADFS for federation and access control.

We are planning to dismiss the ADFS and migrate to Azure AD conditional access and keep AADC to sync on-prem AD object / password hash to O365.

1 of the Azure AD conditional access condition should be only allow domain joined computer, which need Azure AD hybrid join as I know.

During the migration, I am thinking if Azure AD hybrid join can point to Azure AD directly instead of ADFS so that we can test and finally dismiss the ADFS?

From Microsoft document for Configure hybrid Azure Active Directory join for Federated domain: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Select the authentication service. You must select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync, or your organization uses seamless SSO.

Seems like i can select Azure AD for the authentication service instead of ADFS.

Thanks,
Roy

azure-ad-connect
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello @roylee-9083 ,

Yes , You can use Azure AD for authentication directly . You can setup Password Hash sync and Seamless SSO and you can get all the benefits of single sign-on without ADFS . while configuring the User sign-in you can configure it with Password hash sync and tick the checkbox called enable single sign-on

usersignin4.png

The above would work for setting up seamless SSO . But this setup without ADFS works best if you have all windows 10 devices with latest updates. You should make sure that If you have any application in your on-premise which depends on ADFS for authentication then you would need to migrate them to the cloud or use Azure AD application proxy for the same. The application migration for any app that was dependent on ADFS would need to be checked and applications updated accordingly. even though Azure AD supports all the auth protocols as ADFS , you may need to make some changes in the application code before migration. Any application which works on legacy protocols like Kerberos , NTLM in your local on-premise environment will continue to be accessed in same way as they will require you to make sure that the application has a line of sight AD domain controller for authentication.

If all your applications are already in azure and use azure AD for identity authentication/authorization and you have all clients as windows 10 (latest) hybrid azure AD joined then you do not need to worry about at all while removing ADFS. You can use the AD connect to setup PHS as well as seamless SSO by checking that option of enable Single sign-on . We have a great article for migrating from federation to Password hash sync for Azure AD which explains it all with all pre-requisites. In case you have any managed domains then you can setup hybrid Azure AD join for them as well. Please go through the articles and I am sure you will be able to plan your migration to Azure AD from ADFS better.

Hope the above clarifies your query and answers your doubts. If the information provided in the answer helps you , please do accept it as answer so that it increases the relevancy of the answer and it is easily found by community members searching for similar issues.

Thank you.




· 1 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

roylee-9083 avatar image roylee-9083 ·

Hi shashishailaj,

Thanks. According to your screen, seems like it switch from ADFS to PasswordHash direct.

But I would like to know if it's possible to keep authenticate by ADFS while I can make to Azure AD hybrid join computer point to Azure directly? As it has option to point to Azure AD or ADFS when configure Hybrid azure AD join.
6973-untitled.jpg

So that I make sure all my domain computers finished Azure AD hybrid join, then I can switch from ADFS authenticate and access control to Azure AD authenticate with passwordhash sync and conditional access.

Thanks,
Roy


0 Votes 0 ·
untitled.jpg (117.7 KiB)
roylee-9083 avatar image
0 Votes"
roylee-9083 answered ·

Hi shashishailaj,

Any idea about my comment on your answer.

Thanks,
Roy

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

roylee-9083 avatar image
0 Votes"
roylee-9083 answered ·

Hi shashishailaj,

Thanks. According to your screen, seems like it switch from ADFS to PasswordHash direct.

But I would like to know if it's possible to keep Office 365 authenticate by ADFS while make Azure AD hybrid join computer point to Azure directly? As it has option to point to Azure AD or ADFS when configure Hybrid azure AD join.
7203-6973-untitled.jpg



So that I do Azure AD hybrid domain join gradually and make sure all my domain computers finished Azure AD hybrid join, then I can switch from ADFS authenticate and access control to Azure AD authenticate with passwordhash sync and conditional access.

Thanks,
Roy


6973-untitled.jpg (117.7 KiB)
·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.