This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 52%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELG%3C/text%3E%3C/svg%3E)
Currently we use ADFS with no plans to setup Azure SSO in the near future. I have a business ease of use request that requires AAD Connect's PTA to be enabled for use with a 3rd party cloud app. We cannot do this if there is any detrimental impact to ADFS's functionality. Any insight is greatly appreciated.
Yes they can co-exist. But a user can only have one way to authenticate. You can achieve this with the Staged Rollout feature of Azure AD Connect. Your domain stays Federated, but you can pick Azure AD groups for which the member will use another method (such as PHS or PTA) without changing the UPN suffix of the user.
So you can have some users using AD FS, other using PTA. But you cannot have the same user using PTA in some cases and AD FS in other cases.
Thanks for the reply. From this information I don't think this is something we can do at the time just for the authentication need on a HoloLens. Appreciate the feedback.
Hi,
You can get that seamless SSO experience without ADFS using managed (PTA or PHS) if the devices are using Hybrid AADJ or AADJ (https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid) or Seamless SSO (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso)
Thanks, We are aware. But that isn't a planned migration until next year. Needed to know if it was possible for both but it seems like it is not. Thanks anyway.
From a client's perspective, the way SSO would work with AD FS is very similar with the way it would work with PTA though. It's essentially Windows Integrated Authentication.
So as long as you configure your AD FS farm to allow WIA (which is the case by default, as long as the user agent of the browser is supported - and that's customizable) I don't see why an application would care if it's AD FS doing it or the PTA agent. Maybe that entire scenario warrants another post in this forum :)
The issue is actually with a 3rd party app for our HoloLens devices. The same app on our HAAD devices with ADFS signs in with SSO no problem. But its not playing nice with a HoloLens which is basically an AAD device. We have only just started playing around with AAD only devices as we do plan to migrate them in the next 1-2 years. Signing in works of course on the Hololens but its just not the seamless experience and they need to put in their password each time but that's just the state for now.