Local AD DS + Microsoft Office 365 E3 + Windows login, options for SSO

Question

I've been told 2 way sync of AD connect is not possible which means it probably doesn't do anything of what I need it to do. How do modern configurations connect AD DS + Azure AD (Office 365 E3) services if AD connect cannot do a 2 way sync?

My goal is to get Windows Hello for Windows 10/11 login connected to Azure AD and the local DS so that users login to a profile already connected to their Azure AD office.com work/school account. While also being able to configure group policy.

Is this possible? It seems like a really basic configuration. I was looking at AD FS but I'm not sure that's the right path either.

How do my users login to a domain and then not have to sign in again to their Microsoft Office 365 accounts in Windows 10/11 account settings?

I appreciate your time, thank you.

Answer

Hello,

I think these articles can help you achieve what you want :

You don't need AD FS to allow access to M365 services when they login on their corporate computers, you have to configure seamless SSO :
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

This decision tree will help you choose the best method depending on what you want to achieve :
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree

Answer

I can give you some details regarding your use case :

Windows Hello for Business (WHfB)
If you only have 2016 domain controllers you should go to the hybrid key trust scenario
Computer management
You should go hybrid azure ad like that you can still use your existing GPOs and it will be mandatory for WHfB hybrid
Azure AD Connect
If you don't have a requirement to have authentication regarding cloud app to happen onpremise you should go for Password Hash Sync with seamless SSO

Local AD DS + Microsoft Office 365 E3 + Windows login, options for SSO

2 answers