ADFS authentication to Office 365, for both on-prem and cloud users.

Hello Experts. I have exchange 2013 CU19 in my environment with AD 2012 R2. We are thinking of migrating mailboxes to Office365. I am thinking of leveraging our ADFS 3.0 infrastructure for SSO. I know when a users mailbox is migrated to O365, and after the cut-over, they are prompted to restart their Outlook, after the first restart, Outlook also prompts them for credentials. this is normal behaviour as the user now needs to authenticate against Exchange online.

With ADFS, even this first credentials prompt for the user should not appear, and ADFS will provide full Seamless SSO. My question is, we have multiple accepted domains in our on-prem Exchange, and for reasons, we cannot add/ verify all the domains at once in O365. so if a user on-prem has delegation access to a migrated users mailbox (that exists in O365), they will also get a prompt to restart their outlook, and will receive a cred prompt from Outlook the first time...will ADFS be able to authenticate the on-prem user aswell to Exchange online? or will we be required to add all of our accepted domains to O365/ Azure for ADFS to authenticate both on-prem and cloud users?
Newguy 123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOXActive Directory/Exchange EngineerCommented:
1. All of your accepted domains should be added to o365
2. Users who have access to shared mailboxes should be either homed on prem together or migrated together to o365
Todd NelsonSystems EngineerCommented:
ADFS will provide full Seamless SSO

Just so we are on the same page "Seamless SSO is not applicable to Active Directory Federation Services (ADFS)."  Seamless SSO and AD FS are very different but act similar.  You can either use one or the other but not both.

Reference...
Senior IT System EngineerIT ProfessionalCommented:
I believe this is applicable to your problem: http://jackstromberg.com/2016/06/enable-sso-single-sign-on-to-on-premises-exchange-owa-outlook-web-access-via-azure-ad-application-proxy/

Let us know how it goes after the implementation.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
There are multiple different pieces to this thread:
And for reasons, we cannot add/ verify all the domains at once in O365  

We're going to tackle this one first.  If the domains aren't added and verified in Office 365 (meaning "we verify that you own the domains"), you won't be able to migrate users to Office 365 who have proxy addresses matching those domains, and there are a number of pieces that will not work right:  

a) We recommend UPN/primary SMTP address parity (matching), so that both the Outlook autodiscover process and sign-on experiences provide the most seamless and hassle-free experience.  While it's possible to deploy without them matching, it generates a lot of service desk calls and generally makes people dissatisfied with the experience.  
b) If you license a user whose proxyAddresses list contains proxy address that are not verified in Office 365 and then migrate the mailbox, the addresses matching non-verified domains will be silently dropped, meaning that users will lose proxy addresses not added to Office 365.  
c) If you attempt to migrate users whose proxyAddresses list contain proxy addresses that are not verified in Office 365 before licensing them, your migration will fail with an error that Office 365 doesn't contain a matching domain for the user.
d) Domains that are not included in the Hybrid Configuration Wizard will be treated as "external" and flow through the external MX record entries as opposed to using the internal Office 365 hybrid mail flow connector.  One of the impacts this has is that if you attempt to schedule a meeting containing a room mailbox cross-premises, the meeting request will be seen as out-of-org and the room will never accept the meeting.

With ADFS, even this first credentials prompt for the user should not appear, and ADFS will provide full Seamless SSO.  As long as it is configured correctly (such as IWA working, supported versions of Office applications, internal AD FS farm endpoint included in the LOCAL INTRANET ZONE (NOT Trusted Sites), yes, that is true.  It should just "work."  The "seamless" experience is best with AD FS, but not to be confused with "Seamless SSO," which is a feature of Azure AD Connect in conjunction with Password Hash or Pass-Through authentication.  We've used a lot of similar terms, so it's important to always make sure we're talking about the same thing.  Azure AD Connect Pass-through authentication with seamless SSO is only viable with at least version 16.0.8730 of the Office ProPlus applications, as I referenced in a blog post last month: https://blogs.technet.microsoft.com/undocumentedfeatures/2018/04/04/change-from-ad-fs-authentication-to-seamless-sso/.  Pass-through authentication will only work for modern authentication applications, such as Office 2013+ with ADAL/Modern Authentication enabled.

so if a user on-prem has delegation access to a migrated users mailbox (that exists in O365), they will also get a prompt to restart their outlook, and will receive a cred prompt from Outlook the first time...will ADFS be able to authenticate the on-prem user aswell to Exchange online? or will we be required to add all of our accepted domains to O365/ Azure for ADFS to authenticate both on-prem and cloud users?

There's a lot of stuff in this one.  First, AD FS isn't authenticating anything against your local Exchange environment.  AD FS is *only* authenticating on-premises users for consuming resources in Azure AD and Office 365.  As long as you have delegated Full Access, cross-premises mailbox permissions should work.  There are a lot of caveats, but since locating mailboxes requires working autodiscover cross-premises and follows the organization relationship, you'll need to them verified in Office 365 and added to the Exchange federation trust (completed during the Exchange hybrid configuration wizard).  If you don't have all of your domains verified in Office 365, I think you're going to run into intermittent problems that CSS/Premier will tell you "aren't supported."

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.