question

NithyanandhamSingaravadivelu-7333 avatar image
0 Votes"
NithyanandhamSingaravadivelu-7333 asked SimonBurbery-9608 edited

Change Authentication method from PHS to ADFS

Hi All,

The requirement is to convert the authentication method for users from PHS to ADFS, then set the PHS as the back up method of authentication in case of ADFS failure.

We have the existing ADFS setup in place without federation between on premises and Azure AD, and we have the latest version of Azure AD connect server running (2.1.1.0 ), but wanted to understand, do we have any options in Azure AD connect server to federate multiple top level domains or the recommended method is only to go with PowerShell i.e Convert-MSOLDomainToFederated with -SupportMultipleDomain for all the verified domains ?

Please share your thoughts.

azure-active-directoryazure-ad-connect
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

AndyDavid avatar image
0 Votes"
AndyDavid answered

Well, um. My thoughts, honestly. Why would you do this? If you are using PHS now, why go back to ADFS?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NithyanandhamSingaravadivelu-7333 avatar image
0 Votes"
NithyanandhamSingaravadivelu-7333 answered

Hi Andy,

The decision was made by our top management and i cannot change it unfortunately. Also they have the existing ADFS infrastructure in place and now they wanted to enable federation between on premises ADFS and Azure AD.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonBurbery-9608 avatar image
0 Votes"
SimonBurbery-9608 answered

I agree with Andy - we have been moving clients away from ADFS to the more modern auth methods for the last couple of years now. If you need to honour user account expiry AD Connect can now be configured to do this with PHS, but if there is a hard requirement to use your on-premises AD for authentication, use PTA.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonBurbery-9608 avatar image
0 Votes"
SimonBurbery-9608 answered SimonBurbery-9608 edited

If you have to do it (I would try and explain that the 'trend' is to move away from ADFS these days!)... here are the commands I used a few years back for what sounds like a similar setup (you can perform initial configuration via AD Connect and use commands as needed)

Import-Module MSOnline
$domain = 'domain'
$cred = Get-Credential
Connect-MsolService –Credential $cred

To redirect to ADFS...

Convert-MsolDomainToFederated –DomainName $domain
Set-MsolFederatedDomain -DomainName $domain -SupportMultiDomain

Get-MsolDomain
Get-ADFSRelyingPartyTrust
Get-MSOLFederationProperty -DomainName $domain
Get-MsolDomainFederationSettings -DomainName $domain

To Roll Back...

Set-MsolDomainAuthentication -Authentication Managed -DomainName $domain

enable device registration

Initialize-ADDeviceRegistration

Add Chrome and Firefox to SSO

Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + "Mozilla/5.0" + "Edge/12")

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.