Federation with Microsoft Entra ID
Federation is a collection of domains that have established trust. The level of trust may vary, but typically includes authentication and almost always includes authorization. A typical federation might include a number of organizations that have established trust for shared access to a set of resources.
You can federate your on-premises environment with Microsoft Entra ID and use this federation for authentication and authorization. This sign-in method ensures that all user authentication occurs on-premises. This method allows administrators to implement more rigorous levels of access control. Federation with AD FS and PingFederate is available.
Tip
If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password hash synchronization as a backup in case your AD FS infrastructure fails.
Microsoft Entra Connect lets you configure federation with on-premises Active Directory Federation Services (AD FS) and Microsoft Entra ID. With federation sign-in, you can enable users to sign in to Microsoft Entra ID-based services with their on-premises passwords--and, while on the corporate network, without having to enter their passwords again. By using the federation option with AD FS, you can deploy a new installation of AD FS, or you can specify an existing installation in a Windows Server 2012 R2 farm.
This topic is the home for information on federation-related functionalities for Microsoft Entra Connect. It lists links to all related topics. For links to Microsoft Entra Connect, see Integrating your on-premises identities with Microsoft Entra ID.
Microsoft Entra Connect: federation topics
| Topic | What it covers and when to read it |
|---|---|
| Microsoft Entra Connect user sign-in options | |
| Understand user sign-in options | Learn about various user sign-in options and how they affect the Azure sign-in user experience. |
| Install AD FS by using Microsoft Entra Connect | |
| Prerequisites | See the prerequisites for a successful AD FS installation via Microsoft Entra Connect. |
| Configure an AD FS farm | Install a new AD FS farm by using Microsoft Entra Connect. |
| Federate with Microsoft Entra ID using alternate login ID | Configure federation using alternate login ID |
| Modify the AD FS configuration | |
| Repair the trust | Repair the current trust between on-premises AD FS and Microsoft 365/Azure. |
| Add a new AD FS server | Expand an AD FS farm with an additional AD FS server after initial installation. |
| Add a new AD FS WAP server | Expand an AD FS farm with an additional Web Application Proxy (WAP) server after initial installation. |
| Add a new federated domain | Add another domain to be federated with Microsoft Entra ID. |
| Update the TLS/SSL certificate | Update the TLS/SSL certificate for an AD FS farm. |
| Renew federation certificates for Microsoft 365 and Microsoft Entra ID | Renew your O365 certificate with Microsoft Entra ID. |
| Other federation configuration | |
| Federate multiple instances of Microsoft Entra ID with single instance of AD FS | Federate multiple Microsoft Entra ID with single AD FS farm |
| Add a custom company logo/illustration | Modify the sign-in experience by specifying the custom logo that is shown on the AD FS sign-in page. |
| Add a sign-in description | Change the sign-in description on the AD FS sign-in page. |
| Modify AD FS claim rules | Modify or add claim rules in AD FS that correspond to Microsoft Entra Connect Sync configuration. |