question

Joe-8221 avatar image
0 Votes"
Joe-8221 asked ·

Cannot connect ADFS 2019 to Azure AD Domain Controller

I have setup a new Azure AD Domain Services and an Azure VM running ADFS. I now want to connect ADFS to the Azure AD Domain Services.

I run the Active Directory Federation Services Configuration Wizard and the first step is to specify an account with domain administrator permissions to configure ADFS. When I enter an account that is a global administrator and a member of AAD DC Administrators, it gives me the following error:

The credentials provided is not a domain administrator. Provide a credential that is a member of the Domain Admins group and try again.

I cannot find the Domain Admins group in Azure and when I try and this group using the AD Remote Admin tools, it gives me the following error:

You do not have permission to modify the group myadfs.onmicrosoft.com/Users/Domain Admins.

How to I create an account that is part of the Domain Admins group so that I can use it to configure ADFS?

Note that this is a new Azure cloud-only setup with no existing AD services or users.

azure-active-directoryadfsazure-ad-domain-services
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
In your on-premises server, open a command prompt and type whoami. See the name shown there. It should be domainname\username. If you see that as servername\username, you logged in as local administrator. So login as domainname\administrator and try again to setup the Federation service.

Thanks,
Manu

0 Votes 0 ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered ·

this will work 100%, for many years, this is how we are setting up our lab

  • A VM in Azure with DC+ ADFS + ADConnect Server installed on the same box

  • You will need one more VM for proxy as exposing an ADFS with DC role is not consider secure not even for a lab scenario

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joe-8221 avatar image
0 Votes"
Joe-8221 answered ·

Thanks for your response. We don't have an on-premises server, we want an Azure cloud-user only environment.

· 7 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Joe-8221 ,

Could you please try the steps I mentioned in the Azure VM and see how it shows. Here, your on-premises server is Azure VM itself

Regards,
Manu

0 Votes 0 ·

Ah, I see. OK, I'm logging into the Azure VM with remote desktop and I have tried the following as usernames:

username@myadfs.onmicrosoft.com
myadfs.onmicrosoft.com\username
username

When I run whoami for each of these, I always get myadfs\username so I assume I am logged in as the local admin.

How to I login as domainname\administrator when using remote desktop?




0 Votes 0 ·

Hello @Joe-8221,

You have to create an AAD DS in azure portal and join your vm to the domain. As you don't have domain associated in on-premises or Azure, you need to join the VM to a domain. Then you can follow the procedure as I mentioned

Regards,
manu

0 Votes 0 ·
Show more comments
MattCowen-1303 avatar image
0 Votes"
MattCowen-1303 answered ·

@Joe-8221, Azure Ad Domain Services does not support ADFS. See the following for an explanation

35347627-ability-to-deploy-adfs-with-azure-ad-domain-servic

You need to create your own domain controllers in Azure. You can use the Azure Quickstart template to do this quickly and easily.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn avatar image
0 Votes"
piaudonn answered ·

Hi there, a but of a side question... But why would you implement ADFS in this context? Azure AD can play the role of the IDP for SAML/WS-Fed and OAuth/OIDC flow. What is the scenario that make you want install ADFS and connect it to an Azure AD DS domain controller?

· 10 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have a specific ADFS Authentication plugin we want to use. As far as I can see, it is not possible to add custom authentication methods to Azure AD (please correct me if I am wrong).

0 Votes 0 ·

Well, it depends, what do you call plug-in in your context?

0 Votes 0 ·

The authentication plugin is based on this:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method

The requirement for the authentication integration are as follows:

  • Make an API call from the backend before displaying the challenge to the user

  • Display some custom HTML and/or JavaScript to allow the user to supply response

  • Make a final backend API call to validate the response data before authenticating the user

From my research, it seems that only ADFS provides the ability to do this. If it is possible to do this with just Azure AD without ADFS, that would be fantastic! I would be very happy if you could point me to something that shows that this is possible.



0 Votes 0 ·
Show more comments