Why Enterprise Application using ADFS?

RT-7199 511 Reputation points

We have federated Azure AD and are using PHS. I added cloudflare enterprise application, but when we login to that app user is getting redirected to on-prem ADFS. Should a user not get authenticated directly in Azure without being redirected to ADFS for an application registered in Azure. I can see the sign-in attempts under the enterprise application though.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,223 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,596 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Jai Verma 461 Reputation points

    What is the username a user type? Is that domain still federated? For example, if user name is jai@Company portal .com and contoso.com is still federated, this could be one reason, user gets redirected to ADFS.

    Run command - Get-MSOLFederationProperty and see if the domain still shows as federated.

    1 person found this answer helpful.

  2. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee

    It is possible for an application de force a fresh authentication. In that case, that auth flow would go back all the way to ADFS.
    Could you capture a Fiddler trace during one of these redirections?

  3. Mr Sb 356 Reputation points

    It depends ofcourse who your identity provider is with this new enterprise application. Contact the owner of the application and verify the SAML settings. It might be pointing to ADFS instead of Azure AD. And also, if your domain is federated and you have enabled password hash sync, the password hash sync will not be used until you convert the domain to a standard domain or use Azure AD staged roll-out.

  4. RT-7199 511 Reputation points

    @Pierre Audonnet - MSFT thanks for editing the screenshot. Here is the screenshot from claims x ray. But I made a change before I tested this even for salesforce. I removed the test account from the group included under password reset. And I don't see redirection happening to on-prem adfs any more. So does that mean because the test account is part of this group it is being forced to reauthenticate.

    Also i see we have a group with few users under password hash sync for staged roll out but there is none under single sign-on

    0 comments No comments