On a pretty regular basis I find myself discussing the merits of using AD FS with Office 365 when a customer or client has special requirements pertaining to their environment. Not only does it allow for instant user control ensuring a user authenticates against their local domain, but it also provides for capabilities pertaining to “complex” user scenarios.
One thing that AD FS does for user login’s is the idea of a “Simple Sign On” where the user’s identity is passed on their behalf in the background, similar to how a Kerberos ticket might be passed but in the terms of an authentication flow that ends up with the user having a resource token to pass to Office 365.
One of the downsides of AD FS is the requirement to have redundancy, proxies and oh right, still having Azure AD Connect running for identity synchronization from the on-premises environment to Office 365.
Enter the Pass-Through preview capability within Azure AD Connect.
Back in mid-December 2016, Microsoft introduced Azure AD Connect custom settings to allow for “Simple Sign On” through just using the Azure AD Connect preview functionality.
For more on this topic, I highly recommend reading the SSO / Pass-Through article Microsoft posted here:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
The Tech Blog of Dan Usher 