question

DavidDunstone-1372 avatar image
1 Vote"
DavidDunstone-1372 asked ·

Azure AD Connect user sign-in options

We are going though the unnecessarily complicated process of migrating Azure AD Connect to a new server. (Surely they could automate the migration to a new Azure AD Connect with the same configuration?)

In this environment, users currently sign in to Azure / Office 365 using Federation with AD FS.

When looking at the sign-in screen in the current Azure AD Connect instance, I was expecting to see current sign-in method that is being used selected. But instead, it simply shows no options as selected. I'm assuming this is because the current Azure AD Connect instance was originally installed before most of these options were ever available. I assume then that Azure AD Connect has not been used at all to manage AD FS, even though AD FS is running Windows 2012 R2 currently. I also noticed there is no folder %ProgramData%\AADConnect\ADFS containing AD FS backup files, which also indicates that Azure AD Connect is not currently managing AD FS.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-azure-ad-trust

So onto my questions.

If I select the sign-in option "Federation with AD FS", I understand that Azure AD Connect will start to manage AD FS in respect to the Azure AD trust and the AD FS certificates. At this time, I prefer for Azure AD Connect to not manage this. I just want to migrate to a new Azure AD Connect for now.

If I select the sign-in option "Do not configure", am I correct in my understanding that it will simply leave the authentication alone and AD FS will continue to simply work as it did before? If so, I will go with selecting this option. Are there any drawbacks to be aware of?


azure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid1608 avatar image
1 Vote"
AndyDavid1608 answered ·

Correct, if you choose " Do not configure", no changes will be made to your existing ADFS architecture.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dbird03 avatar image
0 Votes"
dbird03 answered ·

I'm currently in the same situation and had the exact same question. Thankfully I found the following blog post which says to select "Do not configure" if you already have AD FS configured in your environment. Microsoft's documentation should be more clear about this and mention "Do not configure" is an option if you have an existing AD FS infrastructure and are performing a swing migration of Azure AD Connect.

https://www.franken.pro/blog/azure-ad-connect-swing-migration-single-multiple-sync-server-towards-one-azure-ad-tenant

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EirikLindem-8072 avatar image
0 Votes"
EirikLindem-8072 answered ·

Hi.
Sorry to hijack this question, but I am in a similar situation.
Rather than not letting Azure AD connect manage my ADFS I want to change that, but I am afraid of the consequences of changing the Sign-in method from "not configured" to "federated sign-in".
I am currently using "federated sign-in" just not configured by Azure AD Connect.
Can I break something when changing the setting in Azure AD connect?

Thanks..

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.