Mix ADFS and Azure AD for authentication

JFH 1 Reputation point
2019-12-16T14:00:54.623+00:00

Hi We use ADFS 3.0 for O365 and some 3rd party web / apps. Now we're implementing a new website. My original idea was to just add it to our ADFS but now the project has decided that it need 2FA. In the future I see all our apps authenticate in Azure AD but I can't move them right now. There fore I'd prefer to keep current apps in ADFS but add the new app to Azure AD with PTA and MFA. Can I some how use Azure AD for authentication on my new app and still authenticate O365 in ADFS? //Johan

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,733 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,226 Reputation points
    2019-12-16T16:16:45.283+00:00

    @JFH Yes, you can do that. If you have O365 federated with ADFS and you federate an application with Azure AD, the authentication flow would be:

    1. User accesses the application which is federated to Azure AD.
    2. Application will redirect to Azure AD authentication endpoint (https://login.microsoftonline.com) for authentication.
    3. User will be prompted for credentials.
    4. Based on the UPN suffix (If the domain is federated with ADFS), user will be redirected to ADFS.
    5. ADFS will authenticate the user and issue a WS-Fed token to Azure AD.
    6. Azure AD will receive the token and issue a SAML token to the application.
    7. User will finally get access to application.

    -----------------------------------------------------------------------------------------------------------

    Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.


  2. Vasil Michev 61,991 Reputation points Microsoft MVP
    2019-12-16T18:10:11.92+00:00

    Both federation and PTA are domain-wide features, so they generally apply to all users. There's however a preview of the so-called "staged rollout" feature, which allows you to switch just some users from federation to other auth types. Read here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

    No comments