Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Workplace Join’ Category

(2016-12-24) Can You Use ADFS v2.x To Federate With Azure AD?

Posted by Jorge on 2016-12-24


You might still be running ADFS v2.0 and you want to know if you can federate with Azure AD and what possible limitations are.

Below you can find my experiences:

  1. Federated user authentication against Azure AD will work
  2. Federated computer authentication against Azure AD will NOT work. In other words Auto Azure AD join will not work
  3. Redirecting MFA from Azure AD to on-premises ADFS will NOT work, unless you have a custom developed MFA solution for ADFS v2.x

[AD.1]

The read about the configurations required, see (2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail. Look at the claims rules for user authentication on the RP trust for Azure AD and the CP trust for AD.

[AD.2]

All the required configurations as mention in (2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail can be achieved in ADFS, except one! You just configure the "AllowedAuthenticationClassReferences" on the RP trust for Azure AD, which is not possible in ADFS v2.0

[AD.3]

To use MFA with ADFS v2.0, like it is possible in ADFS v3.0 and higher, you have bought or developed a custom MFA solution. Any investment in that is pointless as you cannot reuse it in any way in ADFS v3.0 or higher due to the different architecture. Therefore, without an MFA solution in ADFS v2.0 you will not be able to redirect any MFA required to the on-premises ADFS. It must be processed by Azure AD itself.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Azure AD / Office 365, Workplace Join | Leave a Comment »

(2014-03-24) ADFS v3.0 In W2K12R2 And Related Features In Summary With Details

Posted by Jorge on 2014-03-24


Mylo has written a number of blog posts focusing on his first impressions regarding ADFS v3.0 in W2K12R2 and related features (e.g. Workplace Join, Device Registration, Web Application Proxy, etc). The blog posts are a perfect summary with lots of interesting details. Wow, my compliments!

First Impressions – AD FS and Windows Server 2012 R2 – Part I

First Impressions – AD FS and Windows Server 2012 R2 – Part II

First Impressions – AD FS and Windows Server 2012 R2 – Part III (to be published by Mylo)

In addition to this Ramiro Calderon has written great blog posts focusing on MFA in ADFS v3.0. Again, my compliments!

Under the hood tour on Multi-Factor Authentication in ADFS – Part 1: Policy

Under the hood tour on Multi-Factor Authentication in ADFS – Part 2: MFA aware Relying Parties

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Device Registration, Security Token Service (STS), Web Application Proxy, Workplace Join | Leave a Comment »

 
%d bloggers like this: