This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 23%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Hello,
I am new to Active directory concepts, so pls pardon my lack of knowledge. Could you please help me in finding answers for following questions?
AD FS and AD DS roles are installed on same machine both in on premise and Azure. With ADFS, On premise user are authenticated by on-premise Active directory and cloud users are authenticated by Active directory hosted in a Azure VM and there is no need of password sync or password through (PTA). Federated domains are not ** supposed to have **one/two trust or have parent child relationship.
Q1: Is my understanding about ADFS correct?
When you install AD Connect, there is a option called Federation with AD FS. As password sync is not expected..
**Q2. What does AD Connect do for federated domains? **
Q3. Why Do we need AD Connect in this case? AD connect can sync passwords from on premise to Azure AD which can be synced to Azure AD DS, not the AD DS hosted on Azure VM...I think ?
Q4. Is it true that AD Connect can not be used for password syncing between on-premise domain controllers or between on-premise domain and ADDS hosted on Azure VMs ?
I got confused after seeing AD Connect sync status enabled on my employer Azure AD which is federated and reading this "You can federate your on-premises environment with Azure AD and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises." Pls see snaps below.
Appreciate your insightful response, thank you !!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 8%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Q1:
Once you are federated using ADFS all authnetication happens at ADFS for on-prem synced users.
For cloud-only users, AuthN happens at Azure AD.
No need for a trust/parent-child relationship is needed for the Federated AuthN model.
Federated AuthN is one of the Authentication models, the other two being PTA and PHS.
When you install AD Connect, there is a option called Federation with AD FS. As password sync is not expected..
Q2. What does AD Connect do for federated domains?
Federated AuthN is one of the Authentication models, the other two being PTA and PHS.
Picking the Federated option in Azure AD connect will set the domain flag as federated rather than managed at Azure AD, It would set Azure AD to send back the user AuthN back to ADFS.
Q3. Why Do we need AD Connect in this case? AD connect can sync passwords from on premise to Azure AD which can be synced to Azure AD DS, not the AD DS hosted on Azure VM...I think ?
Q4. Is it true that AD Connect can not be used for password syncing between on-premise domain controllers or between on-premise domain and ADDS hosted on Azure VMs ?
I see some confusion in the question,
Azure AD connect will help you sync user + password hashes.
ADDS hosted on Azure VM - Referring to Azure ADDS service?
Thank you @arunnano for helpful response.
I got the answers for Q1, Q2 and Q3.
Regarding Q4, In Azure there is a service called Azure AD Domain Services and we can also installed AD DS components on a Azure VM. I wanted to ask in Q4 if AD Connect can sync the passwords to ADDS hosted on Azure VM. I understand AD Connect supports password syncing from Azure AD to Azure AD Domain Services via synchronization mechanism as shown in following snap. Another part of that question is can AD Connect sync from on premise AD to Azure AD hosted on a VM without Azure AD sitting between them. Chances are less, but I was wanted to be clear.
Q4. Is it true that AD Connect can not be used for password syncing between on-premise domain controllers or between on-premise domain and ADDS hosted on Azure VMs ?
Request you to please clarify when you get time.
Got you,
Ref:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
You cant sync directly from AD to Azure ADDS.
Path is AD-> Azure AD->Azure ADDS.
And the sync from Azure AD to Azure ADDS is automatic and you wont be using Azure AD connect there.
Thank you @arunnano for taking time to help - Glad to mark your response as answer !!