This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 90%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
We are looking to migrate our (on-premise) ADFS environment to Azure AD.
But we are using ID's from an external partner with extra security requirements, i.e. these attributes have to be stored in it's own encrypted secure database.
On-premise within ADFS this is solved by adding an extra SQL attribute store.
Is this possible with Azure AD?
As of today, there are no attribute stores in AAD.
If synchronizing from On-premises is not an option for you, then I would recommend Azure AD directory schema extension attributes which provides a way to store additional data in Azure Active Directory on user objects and other directory objects such as groups, tenant details, service principals. Only extension attributes on user objects can be used for emitting claims to applications.
Directory schema extension attributes are always associated with an application in the tenant. To learn more about : https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-schema-extensions
Hope this helps.
Regards,
Siva
You might be able to synchronize things to the account itself through Azure AD Connect. But it will then be readable by the users (as there's no confidential attributes in AAD like in AD).
As of today, there are no attribute stores in AAD.
Hi Piaudonn,
Synchronizing things would be easy, but that is not accepted.
The attribute is like a social security number so it has to be stored save on a hardened database.
That's why I'm looking for a solution to add a attribute store in Azure AD like you are able with ADFS.
There is a sort of a workaround. Which might not fit your scneario, but worth a shot.
You could keep the app in ADFS but use AAD as a Claim Provider Trust (CPT, inother words as an identity provider) in ADFS. You then associate this CPT with your app in ADFS. When users try to connect to the app, they get redirected to AAD for authentication. Then once you get your token, you can access ADFS and ADFS will give you a token. This token can be "enriched" with issuance claim rules which get the things you want (as long as ADFS can read the attribute).
If your intent was to use AAD as an IDP, this way you can get AAD authentication in your app.
But your app is not in AAD. AAD will see your ADFS farm as an app. So you can't really do Conditional Access Policies (well you can but you have to consider it is CAP for ADFS as an app, not your app). That shouldn't be a major issue if that app is the only one you want to use that workaround for. As soon as you have two, then you won't be able to distinguished them in AAD (and there won't be able to apply specific CAP).
If your intent is to remove ADFS, that doesn't solve the problem as in that workaround you rely on ADFS to trust your app.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
@Pierre Audonnet - MSFT , you wrote:
If your intent is to remove ADFS, that doesn't solve the problem as in that workaround you rely on ADFS to trust your app.
That is exactly what our intention is, so thank you for your proposal but that doesn't solve our problem.
No one with an answer?
Would be nice if someone of Microsoft's Azure team could answer whether this is possible or not.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 4%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
LastPass software vendor seems to have found a way since their Azure AD federation setup is said to store half of the user's master password in Azure AD.
When federation is configured against ADFS then there's a requirement to extend the on-prem AD schema with a CONFIDENTIAL attribute that can be read only by Domain Admins.
I haven't found documentation from LastPass explaining in depth how this works in Azure AD nor have I found by myself where this is stored (tried MS Graph Explorer to no avail). I might ask them soon though since I need this to have faith in the security of the solution.
Found this nice write-up on the topic, no miracle solution but interesting views still:
https://blogs.uw.edu/barkills/2018/12/05/locking-down-azure-ad-a-closer-look-at-the-value-proposition/
Hope this helps.
EDIT: added link
Thank you for your input.
I've read the article in the link but that's not a solution for us.
The attribute needs to be stored in a separate encrypted database.
It isn't allowed to be added to a 'normal' database like Azure.