Local AD DS + Microsoft Office 365 E3 + Windows login, options for SSO

Shaun Rieman 41 Reputation points
2021-10-07T14:12:03.287+00:00

I've been told 2 way sync of AD connect is not possible which means it probably doesn't do anything of what I need it to do. How do modern configurations connect AD DS + Azure AD (Office 365 E3) services if AD connect cannot do a 2 way sync?

My goal is to get Windows Hello for Windows 10/11 login connected to Azure AD and the local DS so that users login to a profile already connected to their Azure AD office.com work/school account. While also being able to configure group policy.

Is this possible? It seems like a really basic configuration. I was looking at AD FS but I'm not sure that's the right path either.

How do my users login to a domain and then not have to sign in again to their Microsoft Office 365 accounts in Windows 10/11 account settings?

I appreciate your time, thank you.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,575 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,202 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,496 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Clément BETACORNE 2,031 Reputation points
    2021-10-07T14:51:42.027+00:00

    Hello,

    I think these articles can help you achieve what you want :

    You don't need AD FS to allow access to M365 services when they login on their corporate computers, you have to configure seamless SSO :
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

    This decision tree will help you choose the best method depending on what you want to achieve :
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn#decision-tree


  2. Clément BETACORNE 2,031 Reputation points
    2021-10-07T20:14:50.23+00:00

    I can give you some details regarding your use case :

    • Windows Hello for Business (WHfB)
      If you only have 2016 domain controllers you should go to the hybrid key trust scenario
    • Computer management
      You should go hybrid azure ad like that you can still use your existing GPOs and it will be mandatory for WHfB hybrid
    • Azure AD Connect
      If you don't have a requirement to have authentication regarding cloud app to happen onpremise you should go for Password Hash Sync with seamless SSO
    0 comments No comments