Migrating away from on prem ADFS to Entra ID still authenticating on prem.

Bjarki Björgúlfsson - RB 20 Reputation points


We are running an on prem ADFS (version 2019). One of the main activities we use ADFS for is acting as an STS for our API via service to service communication. Our clients (API consumers) are configured as trusted claim providers, in other words, when they want to call our API through their API on behalf of their users, they present a SAML token that is originated from their IDP to our STS (ADFS) and in exchange they get another SAML token they can use to call our API. Furthermore the claims in the SAML token they receive from our STS has been enriched with acceptance transform ruleset, since our ADFS knows which IDP the token is originated from.

We would like to migrate away from ADFS but we need the above authentication flow to take place on prem. Can this be achieved using Entra ID in hybrid mode? Ideally we would like the administration interface to reside in the cloud but the actual authentication flow take place entirely without dependency on the cloud.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
573 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,164 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,629 questions
{count} votes

Accepted answer
  1. Alfredo Revilla (MSFT) 26,756 Reputation points

    Hello @Bjarki Björgúlfsson - RB , althought you can keep user authentication on-premise implenting Microsoft Entra pass-through authentication, the STS will still be cloud-only. The option then is to keep ADFS as the on-premise STS and federate Entra ID with the former.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Pinaki Ghatak 2,150 Reputation points Microsoft Employee