SSO experience for migrated user to O365 from Exchange 2013 on prem (for outlook 2013,2016), in hybrid scenario, with password hash syncronization.

Hello Experts. My org has Exchange 2013 enterprise, with MB, CAS roles on all exchange servers, CU19. AD is windows 2012 R2, for both domain and forest funtional level. We are thinking of migrating to O365 for Email, with a hybrid migration, using pass-hash syncronization.
I have a few questions below.

1. My understanding is, For a user who's mailbox has been migrated to O365, their Outlook will connect to exchange online using Mapi over HTTP with basic authentication, will this not result in credential popup for user when their password changes/ expires from Outlook? We would like a SSO experience for user.

2. I have read that Modern Authentication can be used to have a migrated users outlook not connect using basic authentication to Exchange online, this will fix the prompt issue. I know outlook 2016 is enabled for modern auth, and o365 now comes with modern auth, will this have any effect to on-prem users, in terms of their outlook connection/ authentication to on-prem. Will this result in on-prem users outlook going to Azure token server to get authenticated aswell like in hybrid modern authentication? Which is not what i want.

3. What is the difference between modern authentication, and hybrid modern authentication. For HMA, it mentions this change will effect all on-prem mailboxes as well as EXonline mailboxes going to azure token server for authentication to anything for both on-prem and cloud. Which is not what i want at this stage.

I would just like SSO experience with pass hash sync in hybrid env for users we migrate to O365.

Please help me with the answers. Thank you
Newguy 123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Todd NelsonSystems EngineerCommented:
I would just like SSO experience with pass hash sync in hybrid env for users we migrate to O365.

Seamless single sign-on (SSSO) with pass-through authentication (PTA) has the benefits of AD FS without all of the required servers (only need one).  However, SSSO w PTA still has one large caveat that if the internet connection between your DCs and O365 goes down, then no one is going to be able to login to access the O365 resources.

SSSO with password hash sync is still a great option because it works even if the internet connection between your DCs and O365 goes down.  The recent testing I've done, indicate that it works much more like AD FS and SSSO/PTA than before in that there are no logins or prompts for credentials--it uses the credentials of the currently logged on user.

With that said, both solutions will need to add the following URLs to the local intranet zone of IE or other browsers.


To get this working you will need to ensure you have AAD Connect version 1.1.654.0 (at a minimum).  Then, follow the SSSO Quick Start Guide to either enable SSSO PTA or PHS.

References...
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Todd NelsonSystems EngineerCommented:
Sufficient guidance provided for resolution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.