This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 64%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi,
How can a service account in active directory sign in to azure with ADFS?
It seems like when using ADFS, the domain user has to enter his credentials to a login page. What should a service account do in the same case (as it is not an interactive user...)?
Can Entra ID define if it is a service account or a regular domain user based on its sign in details or any other details?
Thanks
Federated identity management using Active Directory Federation Services
A cloud-based identity and access management service for securing user authentication and resource access
An API that connects multiple Microsoft services, enabling data access and automation across platforms
Additional Microsoft Entra services and features related to identity, access, and network security
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
If you want create a service account Cloud only in Entra ID , yu should shoose a non federated domain (xxxx.onmicrosoft.com) to bypass federation redirection for service account authentication:
If the service account is a synced account , it will be redirected to federation service for authentication.
Please don't forget to accept helpfull answer
I see, so you said that - "If the service account is a synced account, it will be redirected to federation service for authentication." In that case, I guess, he won't be able to log in (because he will have to enter interactively his credentials to the WAP). Am I right?
If I am not right, what authentication method will be used (ADFS + ROPC) ?
Yes. From My point of view , if you need a service account to be used on service in Azure you should use a cloud only account. The service account created in on-premise active directory should be used only on on-premise service.
When you create a service account cloud only in Entra ID you should also disable MFA authentication.
Please don't forget to accept helpful answer
So, in case that service account is a synced account -> The service account just will try to log in to the adfs login page and get stuck.in case we set it as a cloud user, it signs in as ROPC. Thanks!
So, in case that service account is a synced account -> The service account just will try to log in to the adfs login page and get stuck.in case we set it as a cloud user, it signs in as ROPC.
Thanks!