onprem ADFS Conditional Access policies

skip hofmann 46 Reputation points

Hello all

We are currently using ADFS 2.0. We are federated with O365 and Azure using Azure AD Connect and onprem ADFS. We are doing DUO MFA onprem via ADFS claims rule. My question is can we take full advantage of CA policies if we are still using onprem ADFS onprem for authentication ?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,215 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,182 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

    ADFS 2.0 is running only on unsupported OSes. So I would start by updating your ADFS farm. It is documented: here (note that it is the pretty much the same process to move from ADFS 2.0 to Windows Server 2012 R2 ADFS or 2016 or 2019).

    That said, you have two main roads here.

    You can configure Azure AD to redirect users to your on-premises ADFS farm and DUO provider to perform MFA. That way, if you create a conditional access policy that enforces MFA to access let say SharePoint Online, when a user accesses SharePoint and did not do MFA, Azure AD will redirect the user to ADFS. The user will not have to provide username or password but just perform the MFA. This is done by enabling the -SupportMFA flag on the federation settings with the MSOnline PowerShell module.

    Or you can configure DUO as a custom MFA provider in Azure AD. It is documented on their website. That way you don't need to use your MFA provider on ADFS at all (at least not for the Azure AD relying party trust). And you let everything being managed in the cloud.

    On that second point, you could go one step further and not use ADFS at all if you can for Azure AD. ADFS is not a requirement anymore to have a Single Sign-On experience for your users. Have a look at this: Azure Active Directory Seamless Single Sign-On.