question

salves avatar image
0 Votes"
salves asked ·

Changing SSO authentication method from ADFS to ADConnect

Hi,

today I have a server with the ADFS function that is used for SSO authentication for the O365 service.

We have ADConnect to synchronize users.

I need:

1 - Change the configuration so that SSO does not use ADFS and I know that ADConnect in the latest versions has this possibility.

doubt:

  • When changing the ADConnect configuration, 0365 will no longer use ADFS authentication and will use direct authentication with ADConnect using the Internet (https). Am I right?

  • Do I need to publish ADConnect for internet?

  • I have one domain (root) and one (child domain) and I need the users that use 0365 to authenticate in the services using the credentials of the child domain. Some problem?

Thank you.

azure-ad-connect
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SandroAlves-7928 I wanted to follow up and know if the responses from AndyDavidMVP helped in answering your query. If it did, please accept the response as Answer and Up-Vote" for the answer that helped you for benefit of the community.


0 Votes 0 ·
AndyDavid1608 avatar image
0 Votes"
AndyDavid1608 answered ·

Well, there is no direct authentication with AADConnect. You authenticate with Azure. ( and no, publishing of the AADConnect server on the internet is not required)
When you transition from a federated to managed scenario using SSO/PHS, you are setting AADConnect to handle the PHS and SSO configuration, not so you can authenticate to AADConnect.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

grateful for the answer.

So when the user accesses 0365 services he will no longer direct to on-premises (ADFS), but to Azure.

ADConnect remains responsible for ensuring user synchronization.

This agent we need to install, what is his role?

Will I be able to use users from my child domain to authenticate to 0365 services?

Currently, only my domain (root) is synchronized with 0365. Do I also need to synchronize my child domain with 0365?

Thank you.

10174-capturar.jpg


0 Votes 0 ·
capturar.jpg (30.8 KiB)
AndyDavid1608 avatar image
0 Votes"
AndyDavid1608 answered ·

I think you are referring to the Pass Through Agent? That's different from the PHS/SSO solution:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start

If you want objects in the child domains to use PHS and authenticate against Azure, then, yes, you will need to ensure they are synced as well. Hope that helps.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.