question

StuartFrakes-1566 avatar image
1 Vote"
StuartFrakes-1566 asked ScottCarson-9572 commented

Unable to configure ADFS on AADDS joined server

Hi
It seems I cannot configure ADFS on an AADDS joined server as its not possible to add my user account to the Domain Admins group. Does anyone know of a work around for this or is it just not possible in AADDS.
Seems a bit ridiculous that its not
Thanks

windows-serverazure-active-directorywindows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Agreed, this is a real problem. The only real gating factor is that there's a check somewhere that is failing because it's just plain wrong. Of course you're a domain admin.

For the Microsoft people - why wouldn't AD FS be supported in this scenario? I can see where it would have only limited utility, but one big thing it does is serve as a claims translator that connects an ID provider (e.g., Ping, AAD) to applications running in the AAD DS domain. In other words, those applications run in a domain so they can be managed internally, but the identity context for external users doesn't have anything to do with Windows authentication. AD FS is the service that bridges the outside identity with the applications.

This might seem like an edge case, but I assure you, it's not.

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited

Hi @StuartFrakes-1566,

The ADFS service account only requires Domain Administrator privileges during the installation for the first ADFS server of the ADFS farm. So if you want to change the service account role on ADFS, the service account used for ADFS can be a regular domain user with no privileges on Active Directory.

You can follow the guide, Creating an AD FS Farm without domain admin privileges, but you still need a Domain Admin account for the initial setup.

If you provide more details about your scenario I would be happy to bubble this up with the product team!

EDIT:

As other answerers have pointed out, ADFS is also not supported with AADDS. (I was focused on addressing the credential question and neglected the AADDS portion.) But regardless of how you configure ADFS, you also need Domain Admin credentials for the initial setup.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZollnerD avatar image
1 Vote"
ZollnerD answered

AADDS isn't meant to be a full replacement for on-prem Windows Server AD. You cannot get Domain Administrator or Enterprise Administrator access, as this is a managed ADDS instance primarily meant for things that need legacy auth (Kerberos/NTLM) and LDAP support.

You'll need your own Windows Server Active Directory instance (not AADDS) to use ADFS. I'd suggest reconsidering what the goal you're trying to accomplish is with ADFS, and if the same can be accomplished with Azure AD natively.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MrSbaa avatar image
1 Vote"
MrSbaa answered ScottCarson-9572 commented

ADFS is not supported with AADDS. ADFS is meant for Active Directory (AD) environments. I would highly recommend to take a look at Azure AD SSO which is serverless and much easier to deploy.

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There's more to AD FS than just doing single sign-on with the domain identity such as claims translation from an external ID provider. And there's a perfectly good use case for having a set of machines managed as a domain, that run applications that are relying parties of AD FS. In fact, it's a pretty obvious use case for anyone transitioning legacy applications to azure. Azure AD SSO doesn't serve the same functions.

0 Votes 0 ·