This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 70%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES4%3C/text%3E%3C/svg%3E)
I have been tasked with getting SSO working for a few of our vendors (none have an Azure enterprise app) so ADFS I am thinking. I have an on-prem domain with Azure AD sync configured for our Azure tenant, Office 365 only. I was getting ready to map out the project when the project changed. I need to have the ability for my users to login to our vendor sites using SSO if connectivity to my DCs goes down. To achieve my goal of SSO with some kind of failover I am thinking AADDS (or would building out a Azure VM DC\VPN solution be better) and running an ADFS VM in Azure. Would this work? Is there another way to keep logins working if connectivity to my on-prem DCs goes down? Also, I am thinking the Azure VM DC will not work because of the VPN requirement, I have many remote users.
How to keep SSO logins working if on-prem DCs are unavailable?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 10%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Hi Some, Thanks for posting.
ADFS will not function without functional domain controllers. Since the DCs are required to process the claim request.
if its an internal apps, you should be able to leverage app registration to hook the application with AAD.
I cannot use AADDS to fulfil the claim request? I have to have a DC?
Hi Some,
Yes domain controllers are the best options.
While you can technically workaround deploying ADFS in AADDS but I haven't seen this type of topologies in working production environment or anything official from MS. .