This should be a simple question, but Microsoft's documentation isn't completely clear on the matter.
I may have a job coming up where I'll be setting up a new Windows Server 2016 Standard deployment for an SMB (around 10-15 AD / O365 accounts, but many customers and employee-base is growing). They currently have an on-prem Windows Server 2008 box that handles internal file shares with a badly set up Active Directory environment, and they also have Office 365 subscription for email and the Office suite which they log into with separate credentials tied to their domain name.
In an effort to move them to 2FA without any additional ongoing costs, I think it would make sense to have an on-prem AD FS deployment that would allow them to log in using something like a YubiKey Smart Card setup or this AD FS MFA extension.
In a case like this, would it be required to sign up for an Azure AD plan and have an additional ongoing cost, or is it possible to set up authentication with the on-prem AD FS deployment without any additional costs on top of the O365 licences? They have a number of Small Business Premium licences for office workers and remote workers just have Exchange licences.
This article says:
Even when you have deployed an ADFS farm as a part of your Office 365 adoption, your ADFS farm doesn't trust Office 365. Your ADFS farm trusts Azure Active Directory.
This support article also seems to suggest that Office365 and Azure AD are tightly coupled so you'd need to pay for both:
Office 365 uses the cloud-based user identity and authentication service Azure Active Directory (Azure AD) to manage users.
However, it then goes on to say:
With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365. This federated authentication model can provide additional authentication requirements, such as smartcard-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
I would assume from the above that if something not supported by Azure AD is supported with AD FS that Azure AD is not a prerequisite?
My impression from reading online is that Office 365 supports several federated identity options, and AD FS is one, but I'm confused about whether:
- It's possible to short-circuit Azure AD and use AD FS similar to
how a Shibboleth IdP/SP partnership would work (e.g. Office365 =>
ADFS => Office365 without Azure AD sat in the middle) - You have to use Azure but can get away with the free Azure AD Connect indefinitely without syncing passwords (to get free MFA via a
YubiKey smart card login that works with AD or some other MFA
option) - Whether you still need to purchase a full-blown Azure AD
subscription on top of the Office 365 licences (which claim to have
Active Directory integration included in the subscription).
Failing the above, am I being stupid suggesting smart card login at all? They frequently take machines out of the office (lots of laptop work) so I want the AD environment to be as secure as possible with BitLocker-enforced machines and 2FA login but I'm wondering whether trying to integrate this with O365 too is just creating myself an additional management / support headache.
Thanks so much for any advice!
Best Answer
Office 365 runs on top of Azure AD.
You can't then have O365 without Azure AD.
MFA requires Premium P1 normally but it's built-in to O365 (depending on your subscription)
Have a look at pass-through. This will provide what you need without ADFS.