Azure AD 2FA for domain environment using an existing azure tenant

Darrell Bunger 66 Reputation points
2022-01-06T21:00:24.833+00:00

Here is my scenario - I have a 2019 DC on prem and our insurance company is requiring us to use 2FA on domain computer sign ins; I have an existing email tenant with Azure P1. I would like to use Azure's 2FA cloud SSO to connect the two.

So far every tech pub I've read assumes starting with a blank slate on the Azure tenant.

Is it possible to use Azure AD connect to sync an existing Microsoft tenant (with Azure P1) to my on-prem 2019 DC to implement SSO?

If yes, how to do it successfully without unneeded headaches?

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
373 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,524 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,135 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,699 questions
Accepted answer
  1. Marilee Turscak-MSFT 36,846 Reputation points Microsoft Employee
    2022-01-07T00:35:04.167+00:00

    Hi @Darrell Bunger ,

    Is it possible to use Azure AD connect to sync an existing Microsoft tenant (with Azure P1) to my on-prem 2019 DC to implement SSO?

    If you want to import users from Azure, unfortunately user writeback is not supported at the moment. The feature was removed back in 2015. The product team is working on adding it back in the near future though. They don't have an ETA for it yet, but the team recently shared that it is actively being worked on.

    One workaround which you may have heard about is to create a PowerShell script that scans Azure AD regularly, finds the users in Azure, and then creates an on-premises user with the attributes in AAD. There is an example of such a script here from Peter Stapf, if you haven't seen this yet.

    Let me know if this helps at all.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,721 Reputation points
    2022-01-07T04:18:42.23+00:00

    Hi @Darrell Bunger

    Thanks for that info : )

    When do you apply this solution or on which scenario applies?

    https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation

    Cheers,

    0 comments
  2. Darrell Bunger 66 Reputation points
    2022-01-07T17:02:59.373+00:00

    Hi @risolis ,

    Yes, AD FS is already configured and installed, it's been operating since about September 2019. The username pattern matches on both email and AD users, so like dbunger or rsolisvillegas. I've only got the one AAD and AD FS that need to be federated

    @Marilee Turscak-MSFT , that is good to know that it is being worked on now. The scenario isn't exactly Azure AD writing back to a blank slate in AD though, either. I have a functional AD FS in place AND I have a functional microsoft email tenant with Azure P1 set up. I hadn't seen the PS script, thanks for that. I wonder could it be modified to match users based on naming convention, instead of writing them back to a blank AD FS OU?

    I'm wondering if it would be easier to do this with a second tenant just for AAD and AD, but that seems a bit messy.

    0 comments
  3. Darrell Bunger 66 Reputation points
    2022-02-28T19:26:14.483+00:00

    Now that I have a better understanding of AD FS, I can say that getting Azure AD to connect was much easier than I'd anticipated. The objects created are unrelated to current objects in the tenant, so no worries about that being an issue.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.