AD Connect, change from PHS to Federation with AD FS - what's the impact?

J Slack 41 Reputation points
2021-02-05T17:18:19.383+00:00

Hi,

A customer was starting a rollout of O365 and wanted to use an on-prem ADFS solution for this.

I followed through what I had learnt when I did my O365 MCSA and some guides, built the ADFS server farm and proxies and then federated O365 with this farm.

All works great, exactly as planned and expected. Though a couple of the things I read when I set this up said to leave the user sign-in as Password Hash Sync, which we did.

Currently all working great, no issues.

However, the customer would also like to do Hybrid Azure AD Join, which is only available if we change AD Connect from Password Hash Sync to Federated with AD FS.

The process of making that change within AD Connect is easy, I am not concerned about doing it and I have not questions there. However, what is the expected user impact when we make this change?

This is my question please: Would users see anything different? Or would current logins become invalid and all users need to re-authenticate when we make the change? Any impact?

Any advice would be great.

Kind regards

James

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,246 Reputation points Microsoft Employee
    2021-02-08T05:04:12.507+00:00

    @J Slack In normal scenarios for Office 365 authentication, when a domain is federated with ADFS, it is most likely that federation will be used as a medium of login. Password hash sync is used mostly as a backup resource for ADFS.
    In your scenario, it seems you have configured ADFS but still using Password hash sync, for office 365 you might. you might be using ADFS for other replying parties.

    Coming to your concern, If you change the login method to ADFS, after the current valid session from the users , they will be redirected to ADFS page for authentication, and this would be a different page than the normally see.
    They would see something like this : where it will take to your on-prem ADFS sign in page for Auth

    65078-image.png

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.