Field Notes: Azure Active Directory Connect – Federation with AD FS

I started off this Azure AD Connect series by going through the express installation path, where the password hash synchronization sign-in option is selected by default. This was followed by the custom installation path using pass-through authentication and a remote SQL installation. See:

Today we cover federation using Active Directory Federation Services (AD FS).

Federation with AD FS

In the previous posts on Azure AD Connect, I go through the entire installation process. The difference here is that I modify an existing installation and change the user sign-in option to AD FS, as we have already seen launching the installer from scratch twice. Selecting AD FS as a sign-in option is also exposed when the custom installation path is selected if you were to install from scratch.

Welcome to Azure AD Connect

Launching Microsoft Azure AD Connect presents the following Welcome to Azure AD Connect screen instead of the express versus custom screen we saw in the previous posts. Select configure to see available options.

The synchronization service scheduler is suspended until this setup is closed. We will cover details on this in one of the upcomming posts.

Additional tasks

We already have the latest version of Azure AD Connect installed and configured with pass-through authentication, so we’ll just select change user sign-in.

Connect to Azure AD

The Connect to Azure AD screen is also the same as what we saw in the previous two blog posts. Supply credentials of a global administrator account.

Only Azure and user accounts synchronized from on-premises directories are supported for administration. Also note that it is not possible to federate an Azure AD domain while signed in to Azure AD as a user in the same domain.

User sign-in options

This is one of the reasons we are here today – user sign-in! There are a few options available for user sign in:

  • Password Hash Synchronization, which I covered in the first part of the series
  • Pass-through authentication, which is in the second part
  • Federation with AD FS is what I am covering in this post
  • Other options are federation with PingFederate and not configuring any of the above

We select Federation with AD FS and click next to proceed. Details on requirements are in the references subsection below.

Domain Administrator credentials

Azure AD Connect requires domain administrator credentials for the domain in which AD FS will be deployed or configured. Enter a domain credential that is a local administrator on the AD FS servers.

This credential is not stored and is used only during the setup process.

AD FS Farm

This is where the installation wizard is guided on whether to install and configure a new AD FS farm or us an existing one. I select to use an existing AD FS farm that I have pre-configured in my environment.

Opting to go for configuring farm would require us to provide a password-protected PFX file containing the SSL certificate that will be used to secure the communication between AD FS and clients. AAD Connect would store the PFX file locally and we would need to ensure that a strong password has been used to protect the certificate. A short video is included below, which goes through this process.

Azure AD Domain

Select the Azure AD domain that the wizard will enable for federated sign-on.

Azure AD Trust

As we are using an existing AD FS farm, Azure AD Connect will back up the existing Azure AD relying party trust and then update it with the latest recommended claim rules and settings. Changes that will be made to the Azure AD trust are listed here.

Ready to configure

Once we proceed, the wizard will:

  • Backup any existing Azure AD relying party trusts
  • Update the Azure AD relying party trust
  • Configure Azure AD trust for the directory
  • Disable (seamless) single sign-on that was enabled as part of pass-through authentication

Configuration is complete!

Configuration has successfully been applied. The next step is going to be verifying federation settings. I have shared links specified here as references in the summary section.

Verify federation connectivity

Almost there! The next screen requires confirmation on whether intranet and extranet DNS records that will allow clients to resolve the federation service have been created. This is sts.idrockstar.co.za both internally and externally in my case. Once we verify, we should see results similar to what we have in the image below.

Option: Configuring a new AD FS farm (video)

What if we selected “configure a new AD FS farm” instead of “use an existing AD FS farm”? Below is a short video that takes us through the process.

Summary

We took a different approach of modifying an existing installation instead of installing Azure AD Connect from scratch this time around. We changed the user sign-in option from pass-through authentication to AD FS. This is just a demonstration, and I decided to change to AD FS as we have not covered it before. Different options are exposed depending on whether we are configuring a new AD FS farm or using an existing one. The former is summarized in the 1 and half minute video.

References:

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.