question

ShaunRieman avatar image
0 Votes"
ShaunRieman asked ClementBETACORNE answered

Local AD DS + Microsoft Office 365 E3 + Windows login, options for SSO

I've been told 2 way sync of AD connect is not possible which means it probably doesn't do anything of what I need it to do. How do modern configurations connect AD DS + Azure AD (Office 365 E3) services if AD connect cannot do a 2 way sync?

My goal is to get Windows Hello for Windows 10/11 login connected to Azure AD and the local DS so that users login to a profile already connected to their Azure AD office.com work/school account. While also being able to configure group policy.

Is this possible? It seems like a really basic configuration. I was looking at AD FS but I'm not sure that's the right path either.

How do my users login to a domain and then not have to sign in again to their Microsoft Office 365 accounts in Windows 10/11 account settings?

I appreciate your time, thank you.

windows-serverazure-active-directorywindows-active-directoryazure-ad-multi-factor-authenticationazure-ad-pass-through-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered ClementBETACORNE commented

Hello,

I think these articles can help you achieve what you want :

You don't need AD FS to allow access to M365 services when they login on their corporate computers, you have to configure seamless SSO :
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

This decision tree will help you choose the best method depending on what you want to achieve :
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So it sounds like that instead of doing password hash sync I should do pass-through authentication with seamless SSO. How would new users be created then? If AD Connect doesn't import the full user into AD DS, how do I assign group policies?

0 Votes 0 ·

If you decide that your computers will only be Azure AD Join you will have to use "Endpoint manager" or another third-party MDM to manage their settings :
https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows
If you choose hybrid azure ad join you can use "Endpoint manager" or GPO. The advantage of Endpoint manager is that even if the computer is not in the corporate network or connected via VPN you can still apply settings (The only dependency is that the computer need to be connected on Internet)

0 Votes 0 ·

I'm going to have to do more reading but if you can give me any more details, I'd sincerely appreciate it.

0 Votes 0 ·
ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered

I can give you some details regarding your use case :

  • Windows Hello for Business (WHfB)
    If you only have 2016 domain controllers you should go to the hybrid key trust scenario

  • Computer management
    You should go hybrid azure ad like that you can still use your existing GPOs and it will be mandatory for WHfB hybrid

  • Azure AD Connect
    If you don't have a requirement to have authentication regarding cloud app to happen onpremise you should go for Password Hash Sync with seamless SSO








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.