Azure AD SAML SSO Exchange Online, Teams

Question

Hi We have M365 with ADFS (through usual AAD Connect). I am wondering if it is possible to set up the basic platforms like Exchange Online, Teams, Sharepoint Online, OneDrive with Azure AD SAML SSO (Through Enterprise app). Basically we want to set it up as session based access control policy so that we can control blocking download or upload. Long term standpoint too we want to move from ADFS to Azure AD SAML SSO. If possible, what are the step by step process?

Answer 1

GoodResource I want to help you with this question.

If I understand you right you want to bypass ADFS on the mentioned apps.
That's possible but keep in mind that the authentication is based on the user object or the UPN in the ADFS. This means that the user can have the authentication status "federated" or "managed". If it is "managed", it is no longer redirected to ADFS and uses Azure authentication.

This scenario is also explained again here:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-staged-rollout

It is recommended to first test the new authentication flow with a test group and then migrate the remaining users step by step.

Normally, the Home Realm Discovery process would redirect the routing of a defined domain in ADFS directly back to ADFS authentication. However, the change ( via Azure AD Connect Wizard and Powershell) allows, for example, ******@domain.com to be assigned the status "managed" (through group assignment) and ******@domain.com to continue using ADFS authentication through the existing status "federated" and no group assignment.

In general, the command to change the authentication type is: Set-MsolDomainAuthentication -DomainName domain.com -Authentication Managed

You can also check with the PS Command "Get-MsolDomain" what the authentication state is for the users at that moment.

But please follow the steps of the staged migration process.

In short words, these are the necessary steps (for specific groups)):

• Enable & start Azure AD Connect Password Sync.
• Change domain from "Federated" to "Managed
• Test client access

In conclusion, yes, it is possible, but not on an app basis, but only for a specific user group.

---

If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

Answer 2

@GoodResource Thank you for reaching out to us, As I understand you want to migrate from ADFS to Azure AD, would recommend referring these articles would be helpful

https://www.microsoft.com/en-us/security/business/identity-access/upgrade-adfs

Choose the right authentication method with Azure AD - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/choose-ad-authn#cloud-authentication

Also, apps which you mentioned in the query (Exchange Online, Teams, SharePoint Online, OneDrive) are already integrated with Azure AD, you just need to change the authentication type of your users from federated to managed and have proper conditional access policies defined - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-session

If the above information, doesnt help let me know, feel free to post back and discuss further on the same.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.