💡
Azure Active Directory (AAD) was renamed to Entra ID. However the content of this post is still accurate.

Base concepts

Federation services have found their journey to the cloud. Known on-premises Active Directory Federation Services (ADFS) was the origin way to provide local identities for authentication and authorization purposes. But this is not the recommended way anymore, instead using AzureAD.

The equal thought is for the applications that needed such a authentication layer/provider. In Azure, we talk about Enterprise Applications and App registrations, as described here.

ADFS

Active Directory Federation Services is a server-based role, that is part of most domain networks. Single-sign-on with a federated identity that authenticates to any kind of application and claim-based access control for authorization. It is basically the platform to implement when attempting for application security.

AzureAD

Azure Active Directory is not just AD in the cloud. It is the main identity- and access management product in the Microsoft cloud, that offers more suitable features. It is a IDaaS, identity as a service solution across apps located everywhere.

Readiness

Concepts

Before starting the journey, you should be clear about the final situation:

  • ADFS service disabled, authentication requests handled by AzureAD
  • Password hash sync enabled on AzureAD connector
  • No federated domains, instead cloud managed domains

This is for sure best practice and simply the future. ADFS is a complex product, requiring special rules and even proxies. With AzureAD we are server-less, easier to manage and even more reliable.

Some organizations find that their password hashes should not be in the cloud. But also for this case you can get rid of ADFS. Read about Pass-through authentication, where you keep your passwords and can use AzureAD authentication. For my case, I want to go with password hash sync, as it is more convenient.

Technical

Get federated domain
First of all, I would consider a look into Azure Active Directory>Azure AD Connect>User sign-in, there Federation.
azuread-federation-1.png

Save Domain details
It is always good to have a configuration saved, which is functional and can used for rollback. To achieve this for M365 side, run following commands:

  1. Log in to your Microsoft tenant with MSOnline

Connect-Msolservice

  1. Copy the following output: (insert your own domainname)

Get-MsolDomainFederationSettings -DomainName domain.com | fl *

Subsequently we are going to save the ADFS config. Run this command from the ADFS server, to ensure functionality.

(Get-AdfsRelyingPartyTrust -Name "Microsoft Office 365 Identity Platform") | Export-CliXML "C:\temp\O365-RelyingPartyTrust.xml"

AzureAD Connect
To enable password hash sync you need a minimal version of 1.1.819.0 of AzureAD Connector. Take a look at the current configuration in AAD connect. The second thing to check is, if password hash synchronization is enabled. The last prerequisite is to verify if ADFS was configured with AAD connect. On the "review your solution" section, you should see anything that conducts to ADFS. If not, you are required to use Powershell to convert your domains. This is what I am going to do.

aadconnect-settings.png

Source: Microsoft Docs

Configuration

If you have prepared for the implementation, you are now only a few commands away from the target. To prove everything works, it is good to have some test accounts of the domains you want to switch from ADFS to AAD.

  1. Log in to your Microsoft tenant with MSOnline

Connect-Msolservice

  1. Convert your domain from federated to managed (insert your own domainname)

Set-MSolDomainAuthentication -Authentication managed -Domainname domain.com

  1. Verify the status in the AzureAD portal>Azure AD Connect>Federation
    azuread-federation-1.png

  2. If the count of domains decreased, and the domain you converted is not enabled for federation anymore, you can move on and run an AAD Connect initial sync

Start-ADSyncSyncCylce -Policytype Initial

This will start an initial synchronization and will update all attributes you changed. I recommend doing this after each converted domain.

  1. Finally, try to log in with an account of the domain. Notice that the URL is forwarding you to a microsoftonline.com site, instead of ADFS.
    login-msonline.png

Please be sure, that after you ran the Set-MsolDomainAuthentication command, it can take up to 30 minutes, after you can log in again.

Through the sync of AAD connect, the password hashes do get updated every 30 minutes in the cloud and this will also affect on users which change their password on-premises.

Source Microsoft

Outages

Let's talk about potential unwanted influences for your systems and applications. Password Hash Sync will usually prevent you from any outages, as your hashes are already in the cloud. Even if ADFS were to fail, this mechanism would work. So thats a clear benefit. When it comes to setting domain authentication, users may experience some failed logins to Microsoft 365 services that use AAD as identity provider. But cookies and caching of credentials should bypass this problem for the users. Although, if you have a lot of login attempts that come directly to M365, a clear communication is probably the preferred way.

Risks and rollback

Luckily, any changes made through this method can be easily reversed. Use the command Convert-MSOLDomainToFederated to convert the domains back to federation with ADFS. More information
In addition, it helps to execute the tasks from the technical readiness. With this you should be fully safe and prepared for any disadvantageous situations.
When it comes down to risks, there is barely anything to consider. Take your time, make a plan and get all the information you need.

Decommissioning ADFS server

Last, it is about building back the ADFS server. I would not shut down the server right away after the Powershell commands, but disable the relying party trusts.

After this, I would still let the server alive for at least 2 weeks, to guarantee full functionality across the enterprise, in each use case. Don't forget to think of proxies or legacy connections to ADFS. And when you are satisfied with all these considerations, you can shut down and delete the server with a clear conscience.

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.