question

HKG-7714 avatar image
0 Votes"
HKG-7714 asked MartinHansen-9263 published

switching between PHS and ADFS

I am testing switching between ADFS and PHS in my test environment. The authentication was original setup as ADFS and I was able to switch to PHS by using ADconnect alone (without need to use set-msoldomainauthentication cmdlet). I then rollback to ADFS by using convert-msoldomaintofederated and that is also working. Get-msoldomain showed the domain is federated and I was redirected to the ADFS page to sign-in. However, when I try to switch from ADFS to PHS the 2nd time, the user sign-in options is already set to PHS in ADconnect. I can't change from ADFS to PHS which the options in the ADconnect wizard. Can someone explain what did I miss during these changes?

Thanks

azure-ad-password-hash-syncadfs-to-aad-migration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HKG-7714,

Thanks for reaching out.

I believe, this is because the cache of the wizard so its always best to close out Azure AD connect wizard completely and reopen in such scenarios when switching the sign-in option. Hope this help.

0 Votes 0 ·
HKG-7714 avatar image
0 Votes"
HKG-7714 answered

Thanks,

I don't think this is cache issue. I rebooted the ADconnect server and it is still seeing PHS as the sign-in option. I actually selected "Do not configure" option and choose PHS again and the Next button became available. I continued the wizard and it completed successfully. At the end, it stated that the sign on method is set to Password Hash Synchronization. However, when checking with get-msoldomin, the domain is still showing as federated and I am still being redirected to the ADFS sign-in page.







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HKG-7714 avatar image
0 Votes"
HKG-7714 answered

I assumed I still can use the set-msoldomainauthentication cmdlet to perform the switching. I just want to understand the details before doing this on the production env..

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered MartinHansen-9263 published

Thanks for sharing more context.

This is an expected behavior when using the "Azure AD connect wizard" as well as "PowerShell Msol" cmdlets in combined way (such as convert-msoldomaintofederated/Set-MsolDomainAuthentication ) for switching between PHS and ADFS because if we use PowerShell cmdlets then Azure AD connect wizard stop managing federation for you.

Let's say ADFS was initially configured and federated via Azure AD Connect, then later switched to PHS (Password Hash Synchronization) from federation via Azure AD Connect, so there is no discrepancy until now, but if you use PowerShell cmdlets like "convert-msoldomaintofederated" to revert back to ADFS federation rather than using sync wizard, then Azure AD Connect unaware of these changes and will continue to use PHS as a backup along with federation.

Screenshot from my environment, you can see that Domain was federated using convert-msoldomaintofederated but Azure AD connect continue to use PHS as backup because earlier it was managed via Azure AD connect.
168729-image.png

However, at this stage primary authentication for user sign-in would be ADFS federation but PHS continue to be a backup. You can always Run the customize synchronization options to remove this optional PHS feature as shown below:

168784-image.png


So to avoid such instances, try using Azure AD connect wizard to switch between PHS and ADFS not PowerShell in combined way. Here are detailed steps to switch back to federation by using wizard.

To learn more, refer following articles. Hope this was helpful.

Migrate from federation to cloud authentication: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/migrate-from-federation-to-cloud-authentication
Setting up PHS as backup for AD FS in Azure AD Connect: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (209.8 KiB)
image.png (93.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have the same issue, just switched around. We want to change from ADFS to PHS - but from previous support cases, it seems like PHS was enabled both on the optional features, and the sign-in method - yet, we sign in using ADFS :D
Get-msoldomain on ADFS returns Federated authentication, Azure AD reports Federated also - but AD Connect states otherwise.

Not sure how this happened, nor can I recollect any of this, because the last time we had a support engineer look at this was a few years ago now, haven't had any issues with ADFS servers for quite a while.

Any suggestions?

0 Votes 0 ·
HKG-7714 avatar image
0 Votes"
HKG-7714 answered NithyanandhamSingaravadivelu-7333 commented

Thanks for the details explanation.

I did read the ADFS to PHS documentation and it was abit confusing. My ADFS was not setup by ADconnect originally. Rather I setup the ADFS\WAP servers manually and then run the convert-mosldomaintofederated for federation authentication. I only used ADconnect for the account synchronization.

With my first ADFS to PHS move, I only needed to use the ADconnect wizard for the change (without needing to run any PS cmdlet). This part actually confused me as I was expecting that I need to run the PS cmdlet due to the original setup. But it didn't need to and the conversion was fine.

I then tried the rollback by using the convert-msoldomaintofederated and it was good too.

When I tried to do my 2nd ads-phs conversion, then I started experiencing the problem I mentioned and that was why I posted the question here. I did ended up using the set-msoldomainauthentication to managed to change to cloud authentication.

Anyway, my question now is can I just rely on using PS cmdlet to switch from ADFS to PHS and vice versa and only use ADconnect for other configuration such as password writeback and etc. It seems to be it is easier to manage authentication using Powershell.

Thanks again for your help.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Apologies for the delayed response.

Yes, either you can reply on using PowerShell cmdlet to switch federation and use ADconnect for other configuration when you don't want ADConnect to manage federation OR In case if you want your ADConnect to manage federation then use wizard for enabled/disable federation rather than using PowerShell cmdlet to avoid some discrepancy.

But these are the benefits when you manage ADFS federation though Azure AD connect which may helps minimize some of administration tasks when you have large scale environment with multiple ADFS server.

  • Azure AD connect update all required claims in ADFS automatically when Hybrid Azure AD joined enabled for your environment

  • You get option to update ADFS SSL certificate through Azure AD connect wizard so that sync engine would update SSL certificate all of your ADFS and WAP servers automatically rather than doing it manually.

  • Install additional ADFS/WAP in existing farm through AD connect wizard remotely.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·

Hi @sikumars-msft,

I know that you have already answered for the actual question, however i would like to ask my question related to authentication on this same thread, because no where i was not able to found the answer for my question.

The requirement is to convert the authentication method for users from PHS to ADFS, then set the PHS as the back up method of authentication in case of ADFS failure. We have the existing ADFS setup in place without federation between on premises and Azure AD, and we have the latest version of Azure AD connect server running, but wanted to understand, do we have any options in Azure AD connect server to federate multiple top level domains or the recommended method is only to go with PowerShell i.e Convert-MSOLDomainToFederated with -SupportMultipleDomain for all the verified domains ?

Please share your thoughts.



0 Votes 0 ·