question

ADMINMcFarlaneCraig-6106 avatar image
0 Votes"
ADMINMcFarlaneCraig-6106 asked piaudonn edited

Bypass ADFS SSO

Hello. Thank you for any help you can give.

We have our on PremAD and our AzureAD synchronising via Azure AD Connect. We also use onPrem ADFS for SSO.

We synchronise our OnPrem AD accounts and lets say they have the UPN of firstname.lastname@domain1.com. We have a need for some accounts that have the @domain1 UPN to not be sent to our onPrem ADFS server and for them to just login in the same way you would if you used @domain1.onmicrosoft.com

Is this possible.

Thanks in advance

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered piaudonn edited

By default, domains are either managed or federated. You configure this with the MSOL PowerShell module. When a domain is federated, the authentication will take place somewhere else than Azure AD, on a federation service of your choice (ie. ADFS). When a domain is managed, Azure AD will perform the authentication. On that case, either your enable PHS to authenticate users directly in the cloud or PTA to have users send their credentials to Azure AD but then an on-premises agent picks up the request and authenticate the users on-premises. In those last two cases, you can also enable Seamless Single Sign-On to maintain an SSO experience for domain joined machines.

That said, you can also configure the Staged Roll Out feature. This allow you to use a group to select users within a Federated domain to use PHS or PTA instead of ADFS. There is a documentation that explains how to use that transition feature:
- Migrate from federation to password hash synchronization for Azure Active Directory
- Migrate from federation to pass-through authentication for Azure Active Directory

Looking at your scenario, that Staged Roll Out feature might be the way to go for you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jhueppauff avatar image
0 Votes"
jhueppauff answered ADMINMcFarlaneCraig-6106 commented

Hi,

if you create (not sync) those accounts as "cloud only" accounts in Azure AD directly those will not be sent to ADFS.

Regards
Julian

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks mate. With over thousand accounts thats not really going to work for us. We need auto sync of on prem to AzureAD

Might need to look at other solutions thats not ADFS

0 Votes 0 ·