This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 48%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Greetings,
We are running an on prem ADFS (version 2019). One of the main activities we use ADFS for is acting as an STS for our API via service to service communication. Our clients (API consumers) are configured as trusted claim providers, in other words, when they want to call our API through their API on behalf of their users, they present a SAML token that is originated from their IDP to our STS (ADFS) and in exchange they get another SAML token they can use to call our API. Furthermore the claims in the SAML token they receive from our STS has been enriched with acceptance transform ruleset, since our ADFS knows which IDP the token is originated from.
We would like to migrate away from ADFS but we need the above authentication flow to take place on prem. Can this be achieved using Entra ID in hybrid mode? Ideally we would like the administration interface to reside in the cloud but the actual authentication flow take place entirely without dependency on the cloud.
Hello @Bjarki Björgúlfsson - RB , my understanding is that you to migrate authentication the cloud keeping the on-premise service to service enriched token exchange flow using your client (trusted ) IDP. Is that correct?
Hello @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA
I am focusing on the ADFS part that stores configuration for IDPs, certificates, relying parties and the claim transformation rules (and has to my understanding nothing to do with Active Directory). This information does not change very often. I would like to move the administration part to the cloud (when changes are needed in the configuration) but have the data synched on prem so that the authentication flow takes place on prem with synched data. The main goal is to keep our authentication flow working even though cloud connectivity is lost, furthermore we would like low latency in the auth flow, since most of our clients aren't coming from cloud env and we are on an island :) . It seems to me that this should be possible using the migration guide I linked in a previous comment but as a prerequisite installing entra connect on prem. Maybe you can confirm?
Hello @Bjarki Björgúlfsson - RB , althought you can keep user authentication on-premise implenting Microsoft Entra pass-through authentication, the STS will still be cloud-only. The option then is to keep ADFS as the on-premise STS and federate Entra ID with the former.
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
Thanks for your question and for accepting my answer @Bjarki Björgúlfsson - RB . Please also rate it. It will help us provide a better experience. Let us know if you need any additional help!
Hello @Bjarki Björgúlfsson - RB
Yes, it is possible to achieve a similar authentication flow using Microsoft Entra ID in hybrid mode.
Microsoft Entra ID’s hybrid identity solution creates a common user identity for authentication and authorization to all resources, regardless of location.
This is accomplished through provisioning and synchronization. In the hybrid mode, you can configure Microsoft Entra hybrid join. This allows your devices to maximize user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can also secure access to your resources with Conditional Access.
However, please note that the specifics of your implementation may vary based on your organization’s needs and existing infrastructure.
I hope this answers your question.
Thanks for a swift answer @Pinaki Ghatak !
Are you sure this covers the scenario I just described in my original question? I watched the demo video and it is focused on AD join assuming everything is stored in AD, however my understanding of ADFS is that it is a standalone addon to Active Directory so to speak, storing all IDP and STS configuration in an MSSQL database. We are running MSSQL on prem as it is required to be able to run ADFS. I'm not convinced that the configuration stored in MSSQL is easily migrated to Entra Id? Can you elaborate on that?
I did find this migration guide:
however I don't understand if this means cloud only migration or if it is possible to migrate into a hybrid setup performing authentication on prem using Entra Id.