0

We are having a customer with the following setup.

  • onPrem Active Directory with Azure AD Connect and Password Hash Sync (PHS) including SSO activation

  • SSO for all M365 apps

  • Integration of about 15 different external Cloud Apps, which Trust Relationship to Azure in order to use SSO in the browser

Now, the customer wants to migrate to ADFS authentication, in order to use onPrem MFA solution for all his apps in the future. So, what happens if we change the "User Sign-In" method in Azure AD Connect away from PHS incl. SSO to "Federation with ADFS"? I've found the following post: Mix ADFS and Azure AD for authentication - Microsoft Q&A where the user " amanpreetsingh-msft" describes the communication flow. But since we have a slightly different setup, I'm not sure, if this communication flow applies to us aswell. Would SSO still automatically work? And what do we need to take into account in regards to the two different SSO approaches: "PRT SSO" and "Seamless SSO". We currently don't know, what type of SSO the customer uses.

I've also found the following communication flow: SSO2 But it does not fully cover our setup. Since we do not forward any kerberos ticket to Azure AD. Our constellation involves SAML, incoming and outgoing claims, a trust between Azure and a Service Provider (instead of ADFS directly) some sort of SSO token within "PRT SSO" or "Seamless SSO" technology. How would the communication flow look like in our case?

Or might it be a better approach to "migrate" the trusts between the Applications and Azure away from Azure to ADFS one by one?

Thanks for your help!

VJSpeter
  • 1
  • 1

1 Answers1

0

It depends on the application, but the most likely scenario is you will have to configure all apps to use an ADFS trust instead of an Azure AD trust.

It's possible that some applications can simply continue to use Azure AD trusts and then Azure AD will handle federated authentication with ADFS, but this would complicate the login process a lot and make it more difficult to manage and troubleshoot. Also, adding ADFS means adding a potential point of failure, as in "if ADFS doesn't work you won't be able to log on to anything" (which is why ADFS is usually implemented with at least a two-servers farm).

Side note: you don't "migrate the domain to "ADFS Authentication" in Microsoft AD Connect"; you'll need to setup an actual ADFS farm (including a reverse proxy for publishing it externally) and then configure the domain for federated authentication in Azure AD.

I don't know the specifics of your scenario, but this seems quite a bit complex, especially if you don't really have good experience with ADFS (which, no offense intended, you don't seem to have); if the customer's reason for doing all of this is simply to use their own MFA solution, I'd strongly advise them to just enable Microsoft's MFA, or switch to one of the various cloud MFA solutions which can be integrated with Azure AD.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Thanks Massimo, The thing is, we need to fully understand the communication flow involved. Why does it "depend on the application"? The question is actually: What happens if we change the "User Sign-In" method in Azure AD Connect away from PHS incl. SSO to "Federation with ADFS"? Would SSO still work with a communication flow as described here: "https://docs.microsoft.com/en-us/answers/questions/3484/mix-adfs-and-azure-ad-pta.html" And how would the communication flow look like? – VJSpeter Aug 31 '21 at 07:56
  • Changing the user sign-in in ADConnect is actually a shortcut to have ADConnect setup and manage an ADFS farm for you with standard settings (assuming you have the required servers available); this is totally not recommended if you actually need to configure and fine-tune the ADFS deployment, as it seems to be your case (since you also want to add a custom on-prem MFA). – Massimo Aug 31 '21 at 11:21
  • The authentication flow described in your link is correct, and as you can see it goes Application -> Azure AD -> ADFS (potentially with MFA) -> Azure AD -> Application; at each step the *client* (f.e. a web browser) gets redirected to the next one. With ADFS there is an additional layer of authentication, which *might* complicate things and break SSO, or it just might not. – Massimo Aug 31 '21 at 11:23