This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 26%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
I've been told 2 way sync of AD connect is not possible which means it probably doesn't do anything of what I need it to do. How do modern configurations connect AD DS + Azure AD (Office 365 E3) services if AD connect cannot do a 2 way sync?
My goal is to get Windows Hello for Windows 10/11 login connected to Azure AD and the local DS so that users login to a profile already connected to their Azure AD office.com work/school account. While also being able to configure group policy.
Is this possible? It seems like a really basic configuration. I was looking at AD FS but I'm not sure that's the right path either.
How do my users login to a domain and then not have to sign in again to their Microsoft Office 365 accounts in Windows 10/11 account settings?
I appreciate your time, thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 79%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
I can give you some details regarding your use case :
Hello,
I think these articles can help you achieve what you want :
You don't need AD FS to allow access to M365 services when they login on their corporate computers, you have to configure seamless SSO :
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
This decision tree will help you choose the best method depending on what you want to achieve :
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree
So it sounds like that instead of doing password hash sync I should do pass-through authentication with seamless SSO. How would new users be created then? If AD Connect doesn't import the full user into AD DS, how do I assign group policies?
I'm going to have to do more reading but if you can give me any more details, I'd sincerely appreciate it.
If you decide that your computers will only be Azure AD Join you will have to use "Endpoint manager" or another third-party MDM to manage their settings :
https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows
If you choose hybrid azure ad join you can use "Endpoint manager" or GPO. The advantage of Endpoint manager is that even if the computer is not in the corporate network or connected via VPN you can still apply settings (The only dependency is that the computer need to be connected on Internet)
