question

det-1666 avatar image
0 Votes"
det-1666 asked piaudonn edited

ADFS and Azure AD

Hello:

we have on prem ADFS and we are also using azure ad connect and syncing password hash. We have on prem citrix ADC app public facing. we needed to do auth for that app with azure ad and ultimately turn on MFA. we have configured everything based on documentation unfortunately when user tries to connect to on prem app it forwards it to login.microsoftonline.com but then it goes to on prem adfs where it prompts for password then goes back to login.micrsoftonine for token. we wanted to avoid on prem adfs. is there any way to skip that step and just authenticate within azure ad?
thanks

adfsazure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered sikumars commented

Hello,

A PRT is issued to users only on registered devices which enable single sign-on (SSO) across the applications used on registered devices like Hybrid Azure AD joined devices , but in case of PHS or PTA seamless single sign-on (SSO) users can still experience seamless sign-on without even register devices to Azure AD.

Refer this article, SSO via primary refresh token vs. Seamless SSO

There are different scenarios when does a PRT get an MFA claim?. This functionality provides a seamless experience to users by preventing MFA challenge for every app that requires it.

Here is list of supported browser for Azure AD connect (PTA/PHS) seamless single sign-on (SSO):
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso#feature-highlights

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @DomEth-1666,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Hello @DomEth-1666,

Thanks for reaching out.

This is expected behavior when you choose federated domain accounts and Sign-in to Azure AD while accessing integrated application.

Read this article to learn more about "What is federation with Azure AD?"

You could verify all federated Domain Names from Azure AD by doing to "Custom domain Names" from Menu from Azure AD portal as shown below. If you see checkmark under federated which indicate those domain names are federated.

84454-image.png

Looking at your scenario, it seems to be you have in-place Federation with Active Directory Federation Services (AD FS) and optionally configured password hash synchronization as a backup.

If you want to skip federation authentication (ADFS) and just authenticate within azure ad? then you have either of ways for synchronized users from on-premises.

Remove federation and then configure password hash synchronization with Azure AD or Pass-through Authentication with Azure AD

To lean more, read:
Migrate from federation to password hash synchronization for Azure Active Directory
Migrate from federation to pass-through authentication for Azure Active Directory

Instead, simple test would be create cloud only account with non-federated domain azure AD and test the behavior.

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (89.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

det-1666 avatar image
0 Votes"
det-1666 answered sikumars commented

Hello
thank you for your reply. i found out also that due to adfs federation this is expected behavior. Unfortunately we are not ready to move to cloud auth yet. But i was thinking to test out the staged roll out migration below

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

My main objective is to skip ADFS login and live in azure ad for Auth. so i was thinking to do option A : PHA +seamless single SSO but currently i have not configured seamless single sso . so if turn on both will it work? also My question is why this is still in preview? will it ever become GA?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, it should work and I'm glad to share that staged roll out is GA now.

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/confidently-modernize-to-cloud-authentication-with-azure-ad/ba-p/1994709#.YGt6oRaZD6g.linkedin

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·
det-1666 avatar image
0 Votes"
det-1666 answered det-1666 edited

hello:

thank you. i have one more question. as i said earlier currently we have seamless sso is turned off. but somehow i noticed that accessing citirx adc(azure ad as idp) via edge or IE, it bypasses ADFS and logs me in directly without asking for MFA. so is this expected due to primary refresh token? if so seamless sso is only applicable to non MS browsers? since IE and Edge is already behaving like seamless sso. Also specifically if you have turned on mfa, how is it secured bypassing on edge and ie?

thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.