question

JFH-2484 avatar image
JFH-2484 asked ·

Mix ADFS and Azure AD for authentication

Hi We use ADFS 3.0 for O365 and some 3rd party web / apps. Now we're implementing a new website. My original idea was to just add it to our ADFS but now the project has decided that it need 2FA. In the future I see all our apps authenticate in Azure AD but I can't move them right now. There fore I'd prefer to keep current apps in ADFS but add the new app to Azure AD with PTA and MFA. Can I some how use Azure AD for authentication on my new app and still authenticate O365 in ADFS? //Johan

azure-active-directory
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@JFH-2484 Yes, you can do that. If you have O365 federated with ADFS and you federate an application with Azure AD, the authentication flow would be:

  1. User accesses the application which is federated to Azure AD.

  2. Application will redirect to Azure AD authentication endpoint (https://login.microsoftonline.com) for authentication.

  3. User will be prompted for credentials.

  4. Based on the UPN suffix (If the domain is federated with ADFS), user will be redirected to ADFS.

  5. ADFS will authenticate the user and issue a WS-Fed token to Azure AD.

  6. Azure AD will receive the token and issue a SAML token to the application.

  7. User will finally get access to application.

Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.



2 comments Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JFH-2484 avatar image JFH-2484 ·

Thank you Amanpreetsingh for your answer.

So you are saying that because UPN is a federated domain, authentication must happen on the onprem ADFS?

I was hoping for some way to "tell" Azure AD authentication endpoint that it should handle the athentication in Azure and not redirect to onprem ADFS.

Otherwise I guess I need MFA in ADFS?

0 Votes 0 · ·
amanpreetsingh-msft avatar image amanpreetsingh-msft JFH-2484 ·

Yes, you would need MFA in ADFS. You can configure Azure MFA with ADFS 2016 or later. Refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa for more details.

0 Votes 0 · ·
michev avatar image
michev answered ·

Both federation and PTA are domain-wide features, so they generally apply to all users. There's however a preview of the so-called "staged rollout" feature, which allows you to switch just some users from federation to other auth types. Read here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.