Changing SSO authentication method from ADFS to ADConnect

Salves 501 Reputation points


today I have a server with the ADFS function that is used for SSO authentication for the O365 service.

We have ADConnect to synchronize users.

I need:

1 - Change the configuration so that SSO does not use ADFS and I know that ADConnect in the latest versions has this possibility.


  • When changing the ADConnect configuration, 0365 will no longer use ADFS authentication and will use direct authentication with ADConnect using the Internet (https). Am I right?
  • Do I need to publish ADConnect for internet?
  • I have one domain (root) and one (child domain) and I need the users that use 0365 to authenticate in the services using the credentials of the child domain. Some problem?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,505 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee

    @SandroAlves-7928 Thanks for reaching out to us. I can see you want to move away from ADFS and utilize Azure AD Connect for your authentication and SSO needs.

    You have 2 options within AAD Connect for your scenario :

    1) Pass through authentication (Authenticate against on-prem DC)
    User’s passwords are validated against on-premises Active Directory. This allows for on-premises policies, such as sign-in hour restrictions or account expiration, to be evaluated during authentication to cloud services.
    Pass-through Authentication uses lightweight agents deployed in the on-premises environment. The agents listen for password validation requests sent from Azure AD and don’t require any inbound ports to be open to the Internet to function. Passwords don’t need to be present in Azure AD in any form.

    You can read more about it here :

    2) Password Hash sync (Authenticate against Azure AD)
    Users password are synced from local AD to Azure AD, and Azure AD does further authentication.
    To synchronize your password, Azure AD Connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and in chronological order.

    You can read more about PHS here :

    You can download a Migration guide from ADFS to PTA under Next Steps Section from this link.

    Also this FAQ page should help you with questions with which one to choose from :


    If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.

    1 person found this answer helpful.