question

SomeName-4319 avatar image
0 Votes"
SomeName-4319 asked piaudonn edited

Keep ADFS functionning if on-prem DCs are unavailable

I have been tasked with getting SSO working for a few of our vendors (none have an Azure enterprise app) so ADFS I am thinking. I have an on-prem domain with Azure AD sync configured for our Azure tenant, Office 365 only. I was getting ready to map out the project when the project changed. I need to have the ability for my users to login to our vendor sites using SSO if connectivity to my DCs goes down. To achieve my goal of SSO with some kind of failover I am thinking AADDS (or would building out a Azure VM DC\VPN solution be better) and running an ADFS VM in Azure. Would this work? Is there another way to keep logins working if connectivity to my on-prem DCs goes down? Also, I am thinking the Azure VM DC will not work because of the VPN requirement, I have many remote users.

How to keep SSO logins working if on-prem DCs are unavailable?

adfsazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dev073 avatar image
0 Votes"
Dev073 answered

Hi Some, Thanks for posting.

ADFS will not function without functional domain controllers. Since the DCs are required to process the claim request.

if its an internal apps, you should be able to leverage app registration to hook the application with AAD.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SomeName-4319 avatar image
0 Votes"
SomeName-4319 answered Dev073 commented

I cannot use AADDS to fulfil the claim request? I have to have a DC?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Some,

Yes domain controllers are the best options.

While you can technically workaround deploying ADFS in AADDS but I haven't seen this type of topologies in working production environment or anything official from MS. .

0 Votes 0 ·