AD FS Best Practice for Single Forest Multiple Domain Configuration

asantia
asantia used Ask the Experts™
on
I will be setting up an AD FS farm in order to link to SharePoint Online (part of Office 365).

We have a single-forest AD environment with three (3) child domains under the root forest domain.
The root forest domain isn't used except for a few management accounts.
All three child domains have users that will need to access our single SharePoint Online instance.

I believe my best course of action will be to setup the AD FS farm under the root forest domain since it has trusts to all its child domains.
I'll be installing an AD FS server as well as a WebProxy server and then federating to the Azure AD that SharePoint Online requires.


What would be the best way to ensure all users within the three child domains can log into SharePoint Online?
I believe I'll have to modify some of the claims from the default in order to achieve this.

Any direction/best practices/general help would be appreciated.

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Saif ShaikhServer engineer

Commented:
"I believe my best course of action will be to setup the AD FS farm under the root forest domain since it has trusts to all its child domains".

Yes.

1. The domain to which the AD FS servers are joined must trust every domain or forest that contains users authenticating to the AD FS service.
2. The forest, that the AD FS service account is a member of, must trust all user login forests.
3. The AD FS service account must have permissions to read user attributes in every domain that contains users authenticating to the AD FS service.

Configuring Multi-Domain Support with Azure/Office 365 and ADFS is explained below:
https://www.msazureteam.com/?p=32

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial