skiphofmann-5016 avatar image
0 Votes"
skiphofmann-5016 asked ·

onprem ADFS Conditional Access policies

Hello all

We are currently using ADFS 2.0. We are federated with O365 and Azure using Azure AD Connect and onprem ADFS. We are doing DUO MFA onprem via ADFS claims rule. My question is can we take full advantage of CA policies if we are still using onprem ADFS onprem for authentication ?

10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered ·

ADFS 2.0 is running only on unsupported OSes. So I would start by updating your ADFS farm. It is documented: here (note that it is the pretty much the same process to move from ADFS 2.0 to Windows Server 2012 R2 ADFS or 2016 or 2019).

That said, you have two main roads here.

You can configure Azure AD to redirect users to your on-premises ADFS farm and DUO provider to perform MFA. That way, if you create a conditional access policy that enforces MFA to access let say SharePoint Online, when a user accesses SharePoint and did not do MFA, Azure AD will redirect the user to ADFS. The user will not have to provide username or password but just perform the MFA. This is done by enabling the -SupportMFA flag on the federation settings with the MSOnline PowerShell module.

Or you can configure DUO as a custom MFA provider in Azure AD. It is documented on their website. That way you don't need to use your MFA provider on ADFS at all (at least not for the Azure AD relying party trust). And you let everything being managed in the cloud.

On that second point, you could go one step further and not use ADFS at all if you can for Azure AD. ADFS is not a requirement anymore to have a Single Sign-On experience for your users. Have a look at this: Azure Active Directory Seamless Single Sign-On.

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the response. We are actually using ADFS 3.0 (sorry for the confusion) I really want to move away from onprem ADFS and over to password hash sync. I have to navigate some political waters first. I know its Microsoft best practice to use password hash sync. I 'm trying to gather some evidence that would suggest in our current configuration we wont be able to take full advantage of Conditional Access polices, and some reasons why. I know i can do add duo as a MFA provider in Azure, however im specifically inquiring about issues that would occur with CA policies when using ADFS onprem . Things like trusted ip's come to mind

0 Votes 0 ·

A couple of things here.

First, Azure Active Directory Seamless Single Sign-On does not require you to sync the hash of the users. You can make it work with the Pass Through Authentication mode (i.e. the authentication will still take place on-prem via an light weight agent that you can even install on your Azure AD Connect server to start with).

Then, I want to make it clear that your scenario is still using Conditional Access Policy in Azure AD. You just redirect to ADFS for the the MFA part. The trigger is still in Azure AD, so the trusted IP condition (and all other) still apply. What is not a good idea is trying to reproduce what Azure AD Conditional Access Policy in ADFS. But that's not your scenario.

0 Votes 0 ·

Also, there is a free feature in Azure AD called Security Default. It allows customers to enable MFA for free on all users. But this requires to use the Azure MFA mobile app. So in that case the DUO provider won't cut it.

The role of ADFS when it is used for Azure AD (and by extension for Office 365) is really just to validate the user's password (well and in your case, perform the MFA).

0 Votes 0 ·