1

I've inherited a network where at some point the company had both Dirsync with ADFS and Azure AD Connect running at the same time. I don't know what harm this may have caused. Dirsync was then removed. Azure AD Connect was uninstalled, reinstalled, and reconfigured.

Fast forward. If the ADFS Server, which is still running the ADFS role, goes down, Office 365 will not authenticate users, either via OWA or Outlook. When I use get-msolservice against my O365 account, all four of my domains say "Managed" under authentication, which my understanding is that they are not federated at that point.

On the local ADFS server, there's a Relying Party Trust created with a URL that if taken offline will also break authentication with OWA/Outlook.

Does anyone know if I should just uninstall the ADFS role on the server and if this will fix the link between O365 and Active Directory. We do not need ADFS, we just want to do Azure AD Connect.

Thanks, B

Brandon
  • 39
  • 2
  • 4
  • No, uninstalling it will break everything. You have to also `convert-msoldomaintostandard` – Appleoddity Jun 21 '18 at 22:35
  • Thanks. Is that the command that would put the domain in a "Managed" state when I'm looking at the msolservice? All of my domains are "managed" and none are "federated". – Brandon Jun 28 '18 at 16:51
  • I have gone through everything I can think of and in every way I can find to look my domains are not federated. In the Azure portal, Federation says it is disabled. In powershell, none of the domains are federated. If I run any commands that'd normally return the details of a federated domain, I get back nothing. However, I still have some link to ADFS because if my ADFS server is offline users can't login. I opened a ticket with MS support that was of no help. They just kept telling me that there is no connection despite me telling them there was. Okay, back to more Googling. – Brandon Jun 28 '18 at 18:43
  • Your googling should have taken you to clearly defined documentation from Microsoft that indicates you also have to use `convert-msoldomaintostandard` when you are removing ADFS. It involves the user accounts and passwords syncing. Do some research then link back here with what you’ve read and followed. The directions are out there. – Appleoddity Jun 28 '18 at 18:45
  • Have you seen that you can also convert your domain easily with AD Connect? By simply bringing up the configuration interface and switching it from AD FS to password sync. Depending on how things were setup or what has been done already, this may be an option too. – Appleoddity Jun 28 '18 at 18:52
  • Sorry if I was unclear, but I meant to convey that it looks like all of those steps have already been taken. I've read through the documentation for convert-msoldomaintostandard at https://docs.microsoft.com/en-us/powershell/module/msonline/convert-msoldomaintostandard? aview=azureadps-1.0 and reviewed the current documentation for conversion at https://github.com/Identity-Deployment-Guides/Identity-Deployment-Guides/blob/master/Authentication/Migrating%20from%20Federated%20Authentication%20to%20Password%20Hash%20Synchronization.docx. – Brandon Jun 28 '18 at 18:55
  • The domains look to be completely unfederated in Azure AD Connect, the Azure AD Portal, and when running Get-MSOLDomain. – Brandon Jun 28 '18 at 18:56
  • when you convert a domain from federated to standard, and if you confirm 365 sees it as standard it can take 45 minutes to several hours for it to go into effect. Nothing you can do as it's on microsoft's end and you just have to wait for it. – SteamerJ Dec 10 '18 at 17:21

1 Answers1

2

A few things to understand here. Office 365 offers a few different ways you can authenticate through it.

As standard it will be Cloud Only where accounts only exist in Office 365. Usernames and Passwords are created by the admins and maintained separately from any other identity the user might have.

Azure AD Connect allows you to sync the identities up so that the meta data (username, displayname, email) and so will match Office 365. Azure AD Connect also has the option to sync the passwords where a hashed version of your users password from AD will be synced to the Azure AD that Office 365 runs on.

This will give the users a "Same Sign-On" Experience, it it will not automatically log the user into Office 365 when they are already logged onto the AD on their computer, but the credentials are the same, so it makes it easier for the user.

Then we have the Single Sign-On options, here the concept is that the user logs in only once, when they have logged onto the machine their, the token the machine already have with the AD will be used and automatically log the user on to services like Office 365 without the need for the user to type credentials.

With ADFS, you can get Single Sign-On. For ADFS to work with Office 365 it is absolutely required that you run Azure AD Connect (DirSync) and that your on-premises credentials matches those synced to the cloud.

You will tell Office 365 that the domain is federated, this basically says that when a user attempts to log into Office 365, it is not Azure AD it should ask, but it will redirect the user to the ADFS server and authenticate there, the ADFS server will then tell Office 365 that the user is authenticated and allow the user to log in.

If you remove ADFS but keep Azure AD Connect you can have a Same Sign-On experience (though it is possible to do Single Sign-On with the newer version of Azure AD Connect)

To remove ADFS from this setup you need to Convert your Federated domains in Office 365 to Managed Domains

I hope this helps with understanding the setup and answers your questions.

Edit
Just realised I missed part of your question.
You can easily check if Office 365 tries to federate a domain through ADFS. If you go to https://portal.office.com and type something@domain.tld and hits enter it will check to see if the domain, in this case domain.tld is federated, if it is it will redirect your login to the ADFS login page, if not it will keep it on Office 365.

If it is on Office 365 then you can go ahead and remove the ADFS servers (as least for from Office 365's point of view, if you authenticate with other providers you will need to check with them too).

Henrik Stanley Mortensen
  • 398
  • 1
  • 7