SSO - What Are You Using and Why?
-
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
I have not considered that. Although, I am concerned about the past issues with its reliability/availability.
How often have you lost Azure AD?
I haven't. I meant Azure in general.
Not the same thing Azure is pretty fragile. Azure AD is not.
That is good to know. I should look at to see the design considerations/topology.
-
@wrx7m said in SSO - What Are You Using and Why?:
Currently, I am using AADConnect (formerly dirsync) to sync users' login info for license activation and onedrive. The caveat is that because our local AD domain is .local (inherited this configuration), I had to add a UPN suffix to sync.
True SSO would become more beneficial when moving our mail services to O365.
I AADConnect / PW Sync .locals to O365. Never any issues with that.
What problems are you running into?
-
@Tim_G I don't have issues with it, per se, it is a problem with having the .local and using the extra public domain so that it effectively turns the office 365 activation/portal from someone's actual email address, [email protected] to [email protected] but using the same password. People rarely remember the difference when logging in to O365. I can't blame them.
-
@wrx7m said in SSO - What Are You Using and Why?:
@Tim_G I don't have issues with it, per se, it is a problem with having the .local and using the extra public domain so that it effectively turns the office 365 activation/portal from someone's actual email address, [email protected] to [email protected] but using the same password. People rarely remember the difference when logging in to O365. I can't blame them.
I see. Yeah if the AD login, domain, AND email address are all completely different... I can see the user confusion.
I was thinking it was something like: [email protected] vs [email protected].
-
@Tim_G Unfortunately, it won't allow a .local because it isn't a public TLD.
-
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
-
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
-
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
There has to be more to it. Does it migrate the existing AD domain and all the users/computers accounts? What about my on-prem Exchange 2010 server?
-
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
There has to be more to it. Does it migrate the existing AD domain and all the users/computers accounts? What about my on-prem Exchange 2010 server?
You move to modern email of course. You don't use Azure AD with old on prem Exchange. And no, it does not migrate, it's a new thing. You'd set it up fresh in most cases. It's not AD, you'll likely make new choices.
-
Why do you have on prem old Exchange when you also have modern, hosted Exchange? What's the need for a seven year old on prem email?
-
@wrx7m said in SSO - What Are You Using and Why?:
@Tim_G Unfortunately, it won't allow a .local because it isn't a public TLD.
Right, which is why you'd have to change the users' UPN to the new domain .com, as you mentioned earlier.
Because of the huge difference between the AD username and their email address, I understand the users' confusion of the change.
-
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
I think he's saying that his on-prem network would then need access to his Azure AD for user/computer authentication.
-
@Tim_G said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
I think he's saying that his on-prem network would then need access to his Azure AD for user/computer authentication.
Well the users just authenticate to it. But since Azure AD comes with your hosted email, it's weird to want old on prem email to authenticate to it, too.
-
@scottalanmiller said in SSO - What Are You Using and Why?:
@Tim_G said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
I think he's saying that his on-prem network would then need access to his Azure AD for user/computer authentication.
Well the users just authenticate to it. But since Azure AD comes with your hosted email, it's weird to want old on prem email to authenticate to it, too.
I will be ditching my Exchange 2010 but was wondering how it would be affected by it. So what about about the rest of the on-prem servers that are all AD domain members?
-
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@Tim_G said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
I think he's saying that his on-prem network would then need access to his Azure AD for user/computer authentication.
Well the users just authenticate to it. But since Azure AD comes with your hosted email, it's weird to want old on prem email to authenticate to it, too.
I will be ditching my Exchange 2010 but was wondering how it would be affected by it. So what about about the rest of the on-prem servers that are all AD domain members?
Yeah - this is what I'm wondering as well? Does Windows Server 2016 support Azure AD? Assuming it does, can you still get things like local network shares when using Azure AD? or does MS assume you've given that up and moved purely to OneDrive for Business?
-
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@Tim_G said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
I think he's saying that his on-prem network would then need access to his Azure AD for user/computer authentication.
Well the users just authenticate to it. But since Azure AD comes with your hosted email, it's weird to want old on prem email to authenticate to it, too.
I will be ditching my Exchange 2010 but was wondering how it would be affected by it. So what about about the rest of the on-prem servers that are all AD domain members?
That'll be case by case. What's an example workload?
-
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@Tim_G said in SSO - What Are You Using and Why?:
@scottalanmiller said in SSO - What Are You Using and Why?:
@wrx7m said in SSO - What Are You Using and Why?:
@scottalanmiller - I can't seem to find how I would implement the Azure AD outside-in approach. I see tons of stuff on how I have already installed AADConnect and sync out.
You just... use it. There's nothing to know. Shut down AD, use Azure AD.
I think he's saying that his on-prem network would then need access to his Azure AD for user/computer authentication.
Well the users just authenticate to it. But since Azure AD comes with your hosted email, it's weird to want old on prem email to authenticate to it, too.
I will be ditching my Exchange 2010 but was wondering how it would be affected by it. So what about about the rest of the on-prem servers that are all AD domain members?
That'll be case by case. What's an example workload?
Filemaker Server, ShoreTel Server, an ERP server, File and Print servers, RDGateway/Terminal Server, vCenter, Spiceworks, PRTG, Veeam