Share via

ADFS and Azure AD

det103 81 Reputation points
2021-04-02T17:32:22.473+00:00

Hello:

we have on prem ADFS and we are also using azure ad connect and syncing password hash. We have on prem citrix ADC app public facing. we needed to do auth for that app with azure ad and ultimately turn on MFA. we have configured everything based on documentation unfortunately when user tries to connect to on prem app it forwards it to login.microsoftonline.com but then it goes to on prem adfs where it prompts for password then goes back to login.micrsoftonine for token. we wanted to avoid on prem adfs. is there any way to skip that step and just authenticate within azure ad?
thanks

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Siva-kumar-selvaraj 15,731 Reputation points Volunteer Moderator
    2021-04-07T19:06:51.457+00:00

    Hello,

    A PRT is issued to users only on registered devices which enable single sign-on (SSO) across the applications used on registered devices like Hybrid Azure AD joined devices , but in case of PHS or PTA seamless single sign-on (SSO) users can still experience seamless sign-on without even register devices to Azure AD.

    Refer this article, SSO via primary refresh token vs. Seamless SSO

    There are different scenarios when does a PRT get an MFA claim?. This functionality provides a seamless experience to users by preventing MFA challenge for every app that requires it.

    Here is list of supported browser for Azure AD connect (PTA/PHS) seamless single sign-on (SSO):
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso#feature-highlights

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,731 Reputation points Volunteer Moderator
    2021-04-05T10:41:30.88+00:00

    Hello @DomEth-1666,

    Thanks for reaching out.

    This is expected behavior when you choose federated domain accounts and Sign-in to Azure AD while accessing integrated application.

    Read this article to learn more about "What is federation with Azure AD?"

    You could verify all federated Domain Names from Azure AD by doing to "Custom domain Names" from Menu from Azure AD portal as shown below. If you see checkmark under federated which indicate those domain names are federated.

    84454-image.png

    Looking at your scenario, it seems to be you have in-place Federation with Active Directory Federation Services (AD FS) and optionally configured password hash synchronization as a backup.

    If you want to skip federation authentication (ADFS) and just authenticate within azure ad? then you have either of ways for synchronized users from on-premises.

    Remove federation and then configure password hash synchronization with Azure AD or Pass-through Authentication with Azure AD

    To lean more, read:
    Migrate from federation to password hash synchronization for Azure Active Directory
    Migrate from federation to pass-through authentication for Azure Active Directory

    Instead, simple test would be create cloud only account with non-federated domain azure AD and test the behavior.

    Hope this helps.

    ------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. det103 81 Reputation points
    2021-04-05T15:20:58.883+00:00

    Hello
    thank you for your reply. i found out also that due to adfs federation this is expected behavior. Unfortunately we are not ready to move to cloud auth yet. But i was thinking to test out the staged roll out migration below

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

    My main objective is to skip ADFS login and live in azure ad for Auth. so i was thinking to do option A : PHA +seamless single SSO but currently i have not configured seamless single sso . so if turn on both will it work? also My question is why this is still in preview? will it ever become GA?

  3. det103 81 Reputation points
    2021-04-06T20:07:59.617+00:00

    hello:

    thank you. i have one more question. as i said earlier currently we have seamless sso is turned off. but somehow i noticed that accessing citirx adc(azure ad as idp) via edge or IE, it bypasses ADFS and logs me in directly without asking for MFA. so is this expected due to primary refresh token? if so seamless sso is only applicable to non MS browsers? since IE and Edge is already behaving like seamless sso. Also specifically if you have turned on mfa, how is it secured bypassing on edge and ie?

    thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.