Hi All,

We're a school looking at streamlining IT for when the students return in September (late planning I know - not my choice!). The biggest frustration for most of our users (because the powers that be deactivated roaming accounts) is that every time you go to login to a new PC (all our PCs are hot-desk) you spend upwards of 5 minutes signing into everything required to start a lesson. With us that is mainly Teams/Office & OneDrive apps, with O365 for email etc - because we currently don't have ADFS.

As you would expect, being a school we are fairly short on resources and don't have an expansive network where we can easily slot in XY and Z. We do not as such have any external facing access (except VPN for me and a few others) to the school network. We do not wish to expand VPN access either as most of our academics are technophobes. We also don't have or are able to have any sort of DMZ for a Reverse Proxy (WAP) to ADFS, and as mentioned our academics could not be expected to use a VPN every time they need to sign in.

Is there any way to provide, using only AAD Connect and ADFS, a way for external clients to still connect to O365 whilst maintaining an ADFS server inside the network for SSO for internal clients?

If there is not a way using only those tools, how would you do this? Bearing in mind my budget for this is next to nothing. I know there is AAD's application proxy but again money...

Am I over thinking this? Is there a way of doing SSO with teams/onedrive/O365 that I have overlooked?

Thanks!

EDIT: Removed duplicate words & clarity