switching between PHS and ADFS

Question

switching between PHS and ADFS

HK G 516

I am testing switching between ADFS and PHS in my test environment. The authentication was original setup as ADFS and I was able to switch to PHS by using ADconnect alone (without need to use set-msoldomainauthentication cmdlet). I then rollback to ADFS by using convert-msoldomaintofederated and that is also working. Get-msoldomain showed the domain is federated and I was redirected to the ADFS page to sign-in. However, when I try to switch from ADFS to PHS the 2nd time, the user sign-in options is already set to PHS in ADconnect. I can't change from ADFS to PHS which the options in the ADconnect wizard. Can someone explain what did I miss during these changes?

Thanks

Siva-kumar-selvaraj 15,721 Reputation points

2022-01-25T20:08:06.56+00:00

@HK G ,

Thanks for reaching out.

I believe, this is because the cache of the wizard so its always best to close out Azure AD connect wizard completely and reopen in such scenarios when switching the sign-in option. Hope this help.

4 answers

Your answer

Siva-kumar-selvaraj 15,721 Reputation points

2022-01-25T20:08:06.56+00:00

@HK G ,

Thanks for reaching out.

I believe, this is because the cache of the wizard so its always best to close out Azure AD connect wizard completely and reopen in such scenarios when switching the sign-in option. Hope this help.

Answer 1

Thanks for sharing more context.

This is an expected behavior when using the "Azure AD connect wizard" as well as "PowerShell Msol" cmdlets in combined way (such as convert-msoldomaintofederated/Set-MsolDomainAuthentication ) for switching between PHS and ADFS because if we use PowerShell cmdlets then Azure AD connect wizard stop managing federation for you.

Let's say ADFS was initially configured and federated via Azure AD Connect, then later switched to PHS (Password Hash Synchronization) from federation via Azure AD Connect, so there is no discrepancy until now, but if you use PowerShell cmdlets like "convert-msoldomaintofederated" to revert back to ADFS federation rather than using sync wizard, then Azure AD Connect unaware of these changes and will continue to use PHS as a backup along with federation.

Screenshot from my environment, you can see that Domain was federated using convert-msoldomaintofederated but Azure AD connect continue to use PHS as backup because earlier it was managed via Azure AD connect.

However, at this stage primary authentication for user sign-in would be ADFS federation but PHS continue to be a backup. You can always Run the customize synchronization options to remove this optional PHS feature as shown below:

So to avoid such instances, try using Azure AD connect wizard to switch between PHS and ADFS not PowerShell in combined way. Here are detailed steps to switch back to federation by using wizard.

To learn more, refer following articles. Hope this was helpful.

Migrate from federation to cloud authentication: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/migrate-from-federation-to-cloud-authentication
Setting up PHS as backup for AD FS in Azure AD Connect: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Martin Hansen 1 Reputation point

2022-04-29T06:45:48.753+00:00

I have the same issue, just switched around. We want to change from ADFS to PHS - but from previous support cases, it seems like PHS was enabled both on the optional features, and the sign-in method - yet, we sign in using ADFS :D
Get-msoldomain on ADFS returns Federated authentication, Azure AD reports Federated also - but AD Connect states otherwise.

Not sure how this happened, nor can I recollect any of this, because the last time we had a support engineer look at this was a few years ago now, haven't had any issues with ADFS servers for quite a while.

Any suggestions?

Answer 2

Thanks,

I don't think this is cache issue. I rebooted the ADconnect server and it is still seeing PHS as the sign-in option. I actually selected "Do not configure" option and choose PHS again and the Next button became available. I continued the wizard and it completed successfully. At the end, it stated that the sign on method is set to Password Hash Synchronization. However, when checking with get-msoldomin, the domain is still showing as federated and I am still being redirected to the ADFS sign-in page.

Answer 3

HK G 516

I assumed I still can use the set-msoldomainauthentication cmdlet to perform the switching. I just want to understand the details before doing this on the production env..

Answer 4

HK G 516

Thanks for the details explanation.

I did read the ADFS to PHS documentation and it was abit confusing. My ADFS was not setup by ADconnect originally. Rather I setup the ADFS\WAP servers manually and then run the convert-mosldomaintofederated for federation authentication. I only used ADconnect for the account synchronization.

With my first ADFS to PHS move, I only needed to use the ADconnect wizard for the change (without needing to run any PS cmdlet). This part actually confused me as I was expecting that I need to run the PS cmdlet due to the original setup. But it didn't need to and the conversion was fine.

I then tried the rollback by using the convert-msoldomaintofederated and it was good too.

When I tried to do my 2nd ads-phs conversion, then I started experiencing the problem I mentioned and that was why I posted the question here. I did ended up using the set-msoldomainauthentication to managed to change to cloud authentication.

Anyway, my question now is can I just rely on using PS cmdlet to switch from ADFS to PHS and vice versa and only use ADconnect for other configuration such as password writeback and etc. It seems to be it is easier to manage authentication using Powershell.

Thanks again for your help.

Siva-kumar-selvaraj 15,721 Reputation points

2022-02-03T12:43:27.59+00:00
Apologies for the delayed response.

Yes, either you can reply on using PowerShell cmdlet to switch federation and use ADconnect for other configuration when you don't want ADConnect to manage federation OR In case if you want your ADConnect to manage federation then use wizard for enabled/disable federation rather than using PowerShell cmdlet to avoid some discrepancy.

But these are the benefits when you manage ADFS federation though Azure AD connect which may helps minimize some of administration tasks when you have large scale environment with multiple ADFS server.

Azure AD connect update all required claims in ADFS automatically when Hybrid Azure AD joined enabled for your environment

You get option to update ADFS SSL certificate through Azure AD connect wizard so that sync engine would update SSL certificate all of your ADFS and WAP servers automatically rather than doing it manually.

Install additional ADFS/WAP in existing farm through AD connect wizard remotely.

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Nithyanandham Singaravadivelu 1 Reputation point

2022-04-07T18:15:16.783+00:00

Hi @sikumars-msft,

I know that you have already answered for the actual question, however i would like to ask my question related to authentication on this same thread, because no where i was not able to found the answer for my question.

The requirement is to convert the authentication method for users from PHS to ADFS, then set the PHS as the back up method of authentication in case of ADFS failure. We have the existing ADFS setup in place without federation between on premises and Azure AD, and we have the latest version of Azure AD connect server running, but wanted to understand, do we have any options in Azure AD connect server to federate multiple top level domains or the recommended method is only to go with PowerShell i.e Convert-MSOLDomainToFederated with -SupportMultipleDomain for all the verified domains ?

Please share your thoughts.

Share via

switching between PHS and ADFS

4 answers

Your answer