ADFS configuration help

[Messugga]

The company I work for makes use of Office 365 for providing emails and such.
What we'd like to get up and running though, is a federated (I may be wrong here?) server, sitting in our office, for local authentication in the event of our internet connection becoming unavailable, for example.

We also have a couple of web servers, that we'd like to enable Domain Authentication on (I believe this would also be a federated server).

I'm struggling to find current information on this, as well as information on how to sync to the local server, for example, from Office 365. There is lots of information available to assist with the migration from a local server to Office 365, but not much else.

Can anybody help out? Is what I want possible, and if so, where do I start? If anybody is open to some freelance work, to get this up and running, that's an option I'm open to as well.

 

[TheRedBar0n]

O365 will need to contact your ADFS for authentication, even if you have a local ADFS server, it needs to be public facing for O365 to reach for SSO. So if your internet goes down, services will be down. Not sure if there has been any advancements since I implemented this a few years back, but I know this is one of the pitfalls. Would be interesting to see other replies and other suggestions on this.

Maybe look into getting fibre with a decent SLA guaranteeing at least high uptime?

 

[Messugga]

Interesting. I was hoping to leverage off of O365 as I understood it that is has its own AD functionality. Alternatively, I guess we should look at an Azure hosted AD server that pushes credentials through to the local server as well as O365.

 

[TheRedBar0n]

Yes you dont need to use ADFS, you can use DirSync for password syncs. But lose out on single sign on:

https://social.technet.microsoft.co...65-sso-without-adfs?forum=windowsazureaditpro

https://technet.microsoft.com/en-us/library/dn635310.aspx ( Directory Synchronization (DirSync) in Microsoft Azure )

https://technet.microsoft.com/library/jj573649.aspx ( Determine which directory integration scenario to use )

 

[Messugga]

Okay cool. I'm willing to sacrifice SSO in exchange for the thing actually working.
DirSync is server -> O365 though, right?
As we started off with O365, we have a bunch of users on there already. Is there a way of syncing them back to the server? I'm also a bit nervous about losing user emails, having never done something like this before.
I suppose a full backup of email accounts would be in order.

 

[TheRedBar0n]

DirSync will run on Azure, this nicely sums this up:

https://technet.microsoft.com/en-us/library/dn635310.aspx

And then basically you will merge your users by using the same UPN if I recall correctly.

Quick search came up with this:

http://www.ivchenko.pro/Blog/Post/23/Merging-on-premises-and-Office-365-users
and
https://syscloudpro.com/2016/08/04/...-in-office-365-with-on-premise-user-accounts/

I suggest doing some research and testing with your own test AD user when it comes to adjusting the UPN etc.

 

[TheRedBar0n]

Okay cool. I'm willing to sacrifice SSO in exchange for the thing actually working.
DirSync is server -> O365 though, right?
As we started off with O365, we have a bunch of users on there already. Is there a way of syncing them back to the server? I'm also a bit nervous about losing user emails, having never done something like this before.
I suppose a full backup of email accounts would be in order.

Made a bit of a quick reply earlier, but will try to answer those questions:

DirSync is server -> O365 though, right?
- Correct, DirSync would sit on your Azure VM or on premise for example and synchronize your AD accounts to Office 365.

As we started off with O365, we have a bunch of users on there already. Is there a way of syncing them back to the server?
- No need to sync them back, you just need to ensure you have AD accounts for each of those users and make sure their UPN's or SMTP aliases match (AD Remediation should be done). This will ensure that the correct on-premise account is synchronized to the correct already existing O365 user. I would strongly suggest that you do some testing first in this regard, so plan a decent amount of time for a 'maintenance weekend' and document of course.

I'm also a bit nervous about losing user emails, having never done something like this before.
I suppose a full backup of email accounts would be in order.
- Those mailboxes will be linked to the O365 licensed users, even if after a directory sync is done and your local domain's UPN is added under the dropdown UPNs of existing users (ideally you'd want this). But, if you can backup those mails, do it. Better to be safe then sorry.

Just to add, if you want to go SSO using ADFS + DirSync in the future from only using DirSync, it can be done.

This is an excellent MS blog entry explaining in detail how to prepare for your first DirSync (pretty much covers most of your questions):
https://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-365-is-easy/

Would be interested to see if any else has some tips.