Well, um. My thoughts, honestly. Why would you do this? If you are using PHS now, why go back to ADFS?
Change Authentication method from PHS to ADFS
The requirement is to convert the authentication method for users from PHS to ADFS, then set the PHS as the back up method of authentication in case of ADFS failure.
We have the existing ADFS setup in place without federation between on premises and Azure AD, and we have the latest version of Azure AD connect server running (22.214.171.124 ), but wanted to understand, do we have any options in Azure AD connect server to federate multiple top level domains or the recommended method is only to go with PowerShell i.e Convert-MSOLDomainToFederated with -SupportMultipleDomain for all the verified domains ?
Please share your thoughts.
Sign in to comment
Sort by: Most helpful
The decision was made by our top management and i cannot change it unfortunately. Also they have the existing ADFS infrastructure in place and now they wanted to enable federation between on premises ADFS and Azure AD.
I agree with Andy - we have been moving clients away from ADFS to the more modern auth methods for the last couple of years now. If you need to honour user account expiry AD Connect can now be configured to do this with PHS, but if there is a hard requirement to use your on-premises AD for authentication, use PTA.
If you have to do it (I would try and explain that the 'trend' is to move away from ADFS these days!)... here are the commands I used a few years back for what sounds like a similar setup (you can perform initial configuration via AD Connect and use commands as needed)
$domain = 'domain'
$cred = Get-Credential
Connect-MsolService –Credential $cred
To redirect to ADFS...
Convert-MsolDomainToFederated –DomainName $domain
Set-MsolFederatedDomain -DomainName $domain -SupportMultiDomain
Get-MSOLFederationProperty -DomainName $domain
Get-MsolDomainFederationSettings -DomainName $domain
To Roll Back...
Set-MsolDomainAuthentication -Authentication Managed -DomainName $domain
enable device registration
Add Chrome and Firefox to SSO
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + "Mozilla/5.0" + "Edge/12")