AD FS Best Practice for Single Forest Multiple Domain Configuration
I will be setting up an AD FS farm in order to link to SharePoint Online (part of Office 365).
We have a single-forest AD environment with three (3) child domains under the root forest domain.
The root forest domain isn't used except for a few management accounts.
All three child domains have users that will need to access our single SharePoint Online instance.
I believe my best course of action will be to setup the AD FS farm under the root forest domain since it has trusts to all its child domains.
I'll be installing an AD FS server as well as a WebProxy server and then federating to the Azure AD that SharePoint Online requires.
What would be the best way to ensure all users within the three child domains can log into SharePoint Online?
I believe I'll have to modify some of the claims from the default in order to achieve this.
Any direction/best practices/general help would be appreciated.
Thanks.
We have a single-forest AD environment with three (3) child domains under the root forest domain.
The root forest domain isn't used except for a few management accounts.
All three child domains have users that will need to access our single SharePoint Online instance.
I believe my best course of action will be to setup the AD FS farm under the root forest domain since it has trusts to all its child domains.
I'll be installing an AD FS server as well as a WebProxy server and then federating to the Azure AD that SharePoint Online requires.
What would be the best way to ensure all users within the three child domains can log into SharePoint Online?
I believe I'll have to modify some of the claims from the default in order to achieve this.
Any direction/best practices/general help would be appreciated.
Thanks.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Yes.
1. The domain to which the AD FS servers are joined must trust every domain or forest that contains users authenticating to the AD FS service.
2. The forest, that the AD FS service account is a member of, must trust all user login forests.
3. The AD FS service account must have permissions to read user attributes in every domain that contains users authenticating to the AD FS service.
Configuring Multi-Domain Support with Azure/Office 365 and ADFS is explained below:
https://www.msazureteam.com/?p=32