Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
August 5, 2019May 24, 2020

Ask yourself if you still really need ADFS

In Q1 2017 Microsoft released the Pass Through Authentication (PTA) functionality as part of Azure AD connect. With the release of Azure Active Directory (Azure AD) Pass-through Authentication allowed for your users to sign in to both on-premises and cloud-based applications using the same passwords without the need to implement a Active Directory Federation Services (ADFS) environment.

With this options we now have the following authentication options available when setting up a hyrid identiy:

  • Password hash synchronization (PHS) – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
  • Pass-through authentication (PTA) – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
  • Federation (AD FS) – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed

Many Microsoft customers started integrating with Azure AD before 2017, at that time they only had two options available to them, either Password Hash Sync or using the ADFS federation option. Where the ADFS federation option was the only way to authenticate a user using an on-premises Domain Controller. So with ADFS we created a federated trust between your on-premises Security Token Service (STS) and the federated domain you’ve specified in your Azure AD tenant.

For most companies, implementing the ADFS functionality is a relatively expensive option though just for this purpose, since an ADFS environment mostly consitst of more than 1 deployed server. The example below gives an idea of a possible ADFS implementation where the ADFS servers as hosted on Azure IaaS virtual machines.

ADFS implementation in Azure IaaS

Source: Deploying Active Directory Federation Services in Azure – https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs

ADFS is also more complex to manage compared to hosting the same functionality in Azure AD, if you use Azure AD and ADFS you also have 2 environments with overlapping functionality.

Microsoft provides some guidance on what type of authentication method to use when you do a green-field deployment of Azure AD, schematically this looks like the schema below, you’ll see that using the PTA option is valid for many scenario’s.

If you are currently on ADFS though, it might be worthwhile to transition to Pass Through Authentication (PTA) of Password Hash Synchronization (PHS) only. In order to make that decision, I have created the following flowchart, which can hopefully help you choose whether to keep ADFS or transition to another authentication method. This flowchart is also available as a separate download on Github here: https://github.com/kennethvs/blog/blob/master/Azure%20AD%20authentication%20integration%20flowchart.pdf

For many applications which might now be redirected towards your ADFS infrastructure, there is now support available to redirect that application to use Azure AD, Microsoft publishes tutorials for many 3rd party SaaS applications here: https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/tutorial-list

I reached out on twitter to find some reasons which could possible block the transition towards PTA or PHS, below are some of the responses:

Some of the comments provided are:

  • When you have one ‘multitenant’ source AD and multiple 365 tenants; when you need to have integration with Afas online , or other not known apps by 365
  • I’d rather sync password hashes to #AzureAD. Am I missing an advantage of PTA over that?
  • PHS knows nothing about on-prem password policies, particularly password expiration. A bit of a challenge for users who rarely do anything inside the corporate network
  • AzureAD requires additional cost for Conditional access. Even basic CA. ADFS claim rules are free 🙂
  • Actually PHS is even simpler and more rubust. I vote for native cloud auth with #AzureAD. Security is not an issue here.
  • Agree on this! Would you still deploy ADFS infra (when there are valid requirements) next to AAD PTA of drop it and go for AD FS only?

Conclusion:

Just because at time of integrating Azure Active Directory the only options to have an on-premise validation of the user account signing in was Active Directory Federation Services, that requirement could be solved in another way today. When you only use ADFS as the federation mechanism for Azure AD logins only, consider moving to Pass Through Authentication instead.

Migration from ADFS to PTA is described in the following article: Migrate from federation to pass-through authentication for Azure Active Directory – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication

Some references used while writing this article:

What is hybrid identity with Azure Active Directory? – https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
Five tips to improve the migration process to Azure Active Directory – https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Five-tips-to-improve-the-migration-process-to-Azure-Active/ba-p/445364
Azure AD pass-through authentication- https://www.jgspiers.com/azure-ad-pass-through-authentication/
Support Tip: A Quick Look at Azure AD Connect and Hybrid Identity – https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-A-Quick-Look-at-Azure-AD-Connect-and-Hybrid-Identity/ba-p/717280
Ten things you need to know about Pass-through Authentication – https://dirteam.com/sander/2019/02/28/ten-things-you-need-to-know-about-pass-through-authentication/
Your Pa$$word doesn’t matter – https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984

Tweet
Follow me
Tweet #wmugnl

3 thoughts on “Ask yourself if you still really need ADFS”

  1. Pingback: Microsoft Secure Score Series – 03 – Enable Password Hash Sync if hybrid - JanBakker.tech
  2. Chris Hudlet says:
    May 11, 2020 at 9:45 pm

    I will add the “NO GO” question for me was self service password reset. If you have it turned on for ADFS for external users to be able to reset their password, then you will need to buy an Azure AD P1/P2 or an O365 E3/E5 license for each and every user you want to enable. We run E1 licenses so that turns into a non-starter.

    Reply
    1. Kenneth says:
      May 12, 2020 at 1:12 pm

      Good remark Chris

      To be honest because of the fact that I mainly work with Enterprise customers, not having Azure AD Premium available almost never occurs in my line of work. You do have a valid remark though and you are absolutely right that this is a NO GO if you want to maintain that functionality. Depending on the size of your organization transitioning from Enterprise plans to Business Premium plans (for up to 300 users) could be beneficial and give you the P1 edition, but that is a whole other topic.

      Thanks for visiting my blog!

      /Kenneth

      Reply

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Insight24

Founding member of:

Follow me on Twitter

My Tweets

Recent Posts

  • Speaking about Conditional Access at the Workplace Ninja Usergroup München on Thursday January 21st 2021
  • Rebranding the Windows Management User Group Netherlands to Workplace Ninja User Group Netherlands
  • Defining more granularity for your Conditional Access App Enforced Restrictions using Sensitivity Labels
  • Designing and building your Microsoft Endpoint Manager/Intune environment for Operations
  • Announcing #WMUG_NL Tuesdays Webinar 15 on December 1st, 2020 featuring Alex Verboon

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • Advanced Threat Protection (4)
  • Announcement (17)
  • Azure (2)
  • AzureAD (30)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (22)
  • Configuration Manager (24)
  • Events (4)
  • Exchange Online (5)
  • Identity Protection (2)
  • Intune (8)
  • Licensing (2)
  • Microsoft Endpoint Manager (3)
  • Mobile Application Management (1)
  • Modern Workplace (25)
  • Office 365 (9)
  • Overview (9)
  • Power Platform (1)
  • Presentations (1)
  • Privileged Identity Management (2)
  • Role Based Access Control (2)
  • Security (19)
  • Service Manager (4)
  • Speaking (3)
  • Troubleshooting (1)
  • Uncategorized (8)
  • Windows 10 (3)
  • WMUG.nl (16)
  • WPNinjaNL (1)

Tags

#AzureAD #community #conditionalaccess #m365 #MEMCM #microsoft365 #modernworkplace #security #webinar #wmug_nl Applications ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2007 ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing MCAS MDT Modern Workplace Office 365 OSD PIM policies Policy Sets Presentation RBAC roles Security Service Manager SSP System Center Task Sequence troubleshooting webinar Windows 10 WMUG

Recent Comments

  • Workplace Ninja Usergroup München January 21st 2021 | Insight24 on Speaking about Conditional Access at the Workplace Ninja Usergroup München on Thursday January 21st 2021
  • Kenneth on Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions
  • Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions | Modern Workplace Blog on Defining more granularity for your Conditional Access App Enforced Restrictions using Sensitivity Labels
  • Ilias on Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions
  • Food for thought – Bring Your Own Disaster. - Tech Daily Chronicle on Limit Access to Outlook Web Access, SharePoint Online and OneDrive using Conditional Access App Enforced Restrictions
©2021 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.