Newguy 123
asked on
ADFS authentication to Office 365, for both on-prem and cloud users.
Hello Experts. I have exchange 2013 CU19 in my environment with AD 2012 R2. We are thinking of migrating mailboxes to Office365. I am thinking of leveraging our ADFS 3.0 infrastructure for SSO. I know when a users mailbox is migrated to O365, and after the cut-over, they are prompted to restart their Outlook, after the first restart, Outlook also prompts them for credentials. this is normal behaviour as the user now needs to authenticate against Exchange online.
With ADFS, even this first credentials prompt for the user should not appear, and ADFS will provide full Seamless SSO. My question is, we have multiple accepted domains in our on-prem Exchange, and for reasons, we cannot add/ verify all the domains at once in O365. so if a user on-prem has delegation access to a migrated users mailbox (that exists in O365), they will also get a prompt to restart their outlook, and will receive a cred prompt from Outlook the first time...will ADFS be able to authenticate the on-prem user aswell to Exchange online? or will we be required to add all of our accepted domains to O365/ Azure for ADFS to authenticate both on-prem and cloud users?
With ADFS, even this first credentials prompt for the user should not appear, and ADFS will provide full Seamless SSO. My question is, we have multiple accepted domains in our on-prem Exchange, and for reasons, we cannot add/ verify all the domains at once in O365. so if a user on-prem has delegation access to a migrated users mailbox (that exists in O365), they will also get a prompt to restart their outlook, and will receive a cred prompt from Outlook the first time...will ADFS be able to authenticate the on-prem user aswell to Exchange online? or will we be required to add all of our accepted domains to O365/ Azure for ADFS to authenticate both on-prem and cloud users?
ADFS will provide full Seamless SSO
Just so we are on the same page "Seamless SSO is not applicable to Active Directory Federation Services (ADFS)." Seamless SSO and AD FS are very different but act similar. You can either use one or the other but not both.
Reference...
I believe this is applicable to your problem: http://jackstromberg.com/2016/06/enable-sso-single-sign-on-to-on-premises-exchange-owa-outlook-web-access-via-azure-ad-application-proxy/
Let us know how it goes after the implementation.
Let us know how it goes after the implementation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2. Users who have access to shared mailboxes should be either homed on prem together or migrated together to o365