Change Authentication method from PHS to ADFS

Nithyanandham Singaravadivelu 1 Reputation point
2022-04-08T06:07:33.737+00:00

Hi All,

The requirement is to convert the authentication method for users from PHS to ADFS, then set the PHS as the back up method of authentication in case of ADFS failure.

We have the existing ADFS setup in place without federation between on premises and Azure AD, and we have the latest version of Azure AD connect server running (2.1.1.0 ), but wanted to understand, do we have any options in Azure AD connect server to federate multiple top level domains or the recommended method is only to go with PowerShell i.e Convert-MSOLDomainToFederated with -SupportMultipleDomain for all the verified domains ?

Please share your thoughts.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,138 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 143.8K Reputation points MVP
    2022-04-08T11:46:07.607+00:00

    Well, um. My thoughts, honestly. Why would you do this? If you are using PHS now, why go back to ADFS?

    0 comments No comments

  2. Nithyanandham Singaravadivelu 1 Reputation point
    2022-04-08T12:38:57.67+00:00

    Hi Andy,

    The decision was made by our top management and i cannot change it unfortunately. Also they have the existing ADFS infrastructure in place and now they wanted to enable federation between on premises ADFS and Azure AD.

    0 comments No comments

  3. Simon Burbery 556 Reputation points
    2022-04-08T12:39:15.88+00:00

    I agree with Andy - we have been moving clients away from ADFS to the more modern auth methods for the last couple of years now. If you need to honour user account expiry AD Connect can now be configured to do this with PHS, but if there is a hard requirement to use your on-premises AD for authentication, use PTA.

    0 comments No comments

  4. Simon Burbery 556 Reputation points
    2022-04-08T12:43:42.937+00:00

    If you have to do it (I would try and explain that the 'trend' is to move away from ADFS these days!)... here are the commands I used a few years back for what sounds like a similar setup (you can perform initial configuration via AD Connect and use commands as needed)

    Import-Module MSOnline
    $domain = 'domain'
    $cred = Get-Credential
    Connect-MsolService –Credential $cred

    To redirect to ADFS...

    Convert-MsolDomainToFederated –DomainName $domain
    Set-MsolFederatedDomain -DomainName $domain -SupportMultiDomain

    Get-MsolDomain
    Get-ADFSRelyingPartyTrust
    Get-MSOLFederationProperty -DomainName $domain
    Get-MsolDomainFederationSettings -DomainName $domain

    To Roll Back...

    Set-MsolDomainAuthentication -Authentication Managed -DomainName $domain

    enable device registration

    Initialize-ADDeviceRegistration

    Add Chrome and Firefox to SSO

    Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
    Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + "Mozilla/5.0" + "Edge/12")

    0 comments No comments