This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 47%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I have setup a new Azure AD Domain Services and an Azure VM running ADFS. I now want to connect ADFS to the Azure AD Domain Services.
I run the Active Directory Federation Services Configuration Wizard and the first step is to specify an account with domain administrator permissions to configure ADFS. When I enter an account that is a global administrator and a member of AAD DC Administrators, it gives me the following error:
The credentials provided is not a domain administrator. Provide a credential that is a member of the Domain Admins group and try again.
I cannot find the Domain Admins group in Azure and when I try and this group using the AD Remote Admin tools, it gives me the following error:
You do not have permission to modify the group myadfs.onmicrosoft.com/Users/Domain Admins.
How to I create an account that is part of the Domain Admins group so that I can use it to configure ADFS?
Note that this is a new Azure cloud-only setup with no existing AD services or users.
Hi,
In your on-premises server, open a command prompt and type whoami. See the name shown there. It should be domainname\username. If you see that as servername\username, you logged in as local administrator. So login as domainname\administrator and try again to setup the Federation service.
Thanks,
Manu
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 45%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
this will work 100%, for many years, this is how we are setting up our lab
Thanks for your response. We don't have an on-premises server, we want an Azure cloud-user only environment.
Hello @Joe ,
Could you please try the steps I mentioned in the Azure VM and see how it shows. Here, your on-premises server is Azure VM itself
Regards,
Manu
Ah, I see. OK, I'm logging into the Azure VM with remote desktop and I have tried the following as usernames:
username@myadfs.onmicrosoft.com
myadfs.onmicrosoft.com\username
username
When I run whoami for each of these, I always get myadfs\username so I assume I am logged in as the local admin.
How to I login as domainname\administrator when using remote desktop?
Hello @Joe ,
You have to create an AAD DS in azure portal and join your vm to the domain. As you don't have domain associated in on-premises or Azure, you need to join the VM to a domain. Then you can follow the procedure as I mentioned
Regards,
manu
AAD DS has been created and I have a domain in the format myadfs.onmicrosoft.com. I have joined the ADFS VM to this domain and am able to login with remote desktop using accounts created in Azure AD. If I run whoami, the response is in the following format:
myadfs\admin
Does this mean I am logged in as a local administration? As far as I can tell, I seem to be logged in with a domain account.
However, even though this account is global administrator in Azure and a member of AAD DC Administrators, I still get this error when I try and use to connect ADFS to AD DS:
The credentials provided is not a domain administrator. Provide a credential that is a member of the Domain Admins group and try again.
There seems to be no way to make this account a member of Domain Admins (like you can with on-premise AD).
Any other ideas?
Hi
Azure AD has no domain controllers that you can see or manage, and no "Domain admins" group !
So I have never seen the use of ADFS servers in that way.
And Azure AD can be configured to propose "claims/SAML 2.0" tokens without the need of ADFS Servers.
ADFS servers can only be used installed on Windows Servers integrated in a "true" forest/domain managed by usual Windows servers.
ADFS servers can be configured automatically for Office 365/Azure AD when you have ADConnect synchronizing from AD Forest/domain to Azure AD.
Where/why /for which application do you think that you need ADFS Servers?
You can find here a sample use of adfs with Azure. Servers can be hosted on Azure, but not connected directly with AzureAD.
Regards,
Thanks very much for you explanation, it makes much more sense now!
We want to use a specific authentication plugin for ADFS so can't use the SSO capability of Azure AD.
I now understand that it is not possible to connect ADFS directly to Azure AD but it should be possible to do what we want if we take a different approach.
Baring in mind that this is a brand new service with no pre-existing users that we want to be cloud-only, is there any reason why this wont work?
Are there any errors in this logic? I understand that there is no resilience and normally ADFS and ADDC would be on different servers but for a dev setup, would this work?
Hi,
As I understood the purpose, you need a VM in azure as domain controller and sync to Azure using ADFS. In that case, you need to create a domain controller in the VM you have allocated in Azure and use Azure AD connect tool to sync to Azure AD
Thanks,
Manu
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 28.999999999999996%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
@Joe , Azure Ad Domain Services does not support ADFS. See the following for an explanation
35347627-ability-to-deploy-adfs-with-azure-ad-domain-servic
You need to create your own domain controllers in Azure. You can use the Azure Quickstart template to do this quickly and easily.
Hi there, a but of a side question... But why would you implement ADFS in this context? Azure AD can play the role of the IDP for SAML/WS-Fed and OAuth/OIDC flow. What is the scenario that make you want install ADFS and connect it to an Azure AD DS domain controller?
We have a specific ADFS Authentication plugin we want to use. As far as I can see, it is not possible to add custom authentication methods to Azure AD (please correct me if I am wrong).
Well, it depends, what do you call plug-in in your context?
The authentication plugin is based on this:
The requirement for the authentication integration are as follows:
From my research, it seems that only ADFS provides the ability to do this. If it is possible to do this with just Azure AD without ADFS, that would be fantastic! I would be very happy if you could point me to something that shows that this is possible.
Nope. Azure AD does support OTP and various MFA options, and CAP also allows a bunch of other things (such as ToU or session control). Which might be good enough depending on what you are trying to achieve (not from a technical standpoint but from a functionality perspective). But if you are tied with that technical specs, Azure AD does not provide that level of customization.
OK, thanks for the confirmation.
So, tell me more :) I am curious! What is the API call doing before and after? We are talking MFA right? What does the custom JS interaction look like?
OK :) This is the iProov biometric web solution that we want to offer as an MFA option (as we do currently using ADFS). It uses the camera on the device to create a unique one-time biometric by illuminating the face with a unique sequence of colour while streaming a short video for analysis.
The backend integration requires an API call upfront to create a session for a user and then again at the end to validate the result provided by the client. The frontend integration requires including the JavaScript Web SDK and then rendering or injecting a Web Component.
We would absolutely love to have an Azure AD only solution as this has been requested by a customer. Making use of ADFS in this case is far from ideal as there is no user writeback functionality in AD Connect so all user registration would need to be into the "on-prem" AD to keep everything in sync.
OK :) This is the iProov biometric web solution that we want to offer as an MFA option (as we do currently using ADFS). It uses the camera on the device to create a unique one-time biometric by illuminating the face with a unique sequence of colour while streaming a short video for analysis.
The backend integration requires an API call upfront to create a session for a user and then again at the end to validate the result provided by the client. The frontend integration requires including the JavaScript Web SDK and then rendering or injecting a Web Component.
We would absolutely love to have an Azure AD only solution as this has been requested by a customer. Making use of ADFS in this case is far from ideal as there is no user writeback functionality in AD Connect so all user registration would need to be into the "on-prem" AD to keep everything in sync.
Any ideas for better approaches would be very welcome.
That is very interesting! Thanks for sharing!