Microsoft’s own integrated STS in Windows Server named AD FS (Active Directory Federation Service) is still a broadly used mechanism to federate identities with Azure Active Directory. At Ignite 2018, Anand Yadav’s session BRK3226 provided some numbers and 71+ million users actively use AD FS to sign-in to Azure.
As AD FS has been implemented in Azure AD Connect some while ago, the automatic configuration seems to be very easy for the Office 365 Relying Party Trust. However, many SMB’s want single sign-on for all their Office 365 and Azure applications and then the name AD FS often appears. But which sign-in options are available and when should I choose AD FS? The following diagram gives a short overview about the sign-in options:
Azure Active Directory did a great step forward the last weeks and months to enable organizations to create (or migrate) custom SAML-based authentication settings for their on-premises applications. Azure AD has already thousands of applications integrated to enable single sign-on with other cloud applications like AWS, Goolge, Salesforce, and so on. Microsoft provided new tools and documentation to walk you through your app migration experience and show you which apps you can easily connect today.
The National Cyber Security Centre published a blog post last week and gives a new guidance to move to cloud-native authentication. The new recommendation in hybrid environments should prefer native authentication against Azure AD rather than AD FS. Cloud-native authentication in hybrid environments means that you should use seamless SSO with Password Hash Sync. As this recommendation is really great, especially for SMB’s that install and configure AD FS only for Office 365 without any additional security configurations, there are still some requirements for organizations to use AD FS instead of Password Hash Synchronization:
- There might some compliance regulations that the authentication has occur on-premises rather than in the cloud.
- The use of third-party on-premises MFA providers
- Multi-site on-premises authentication
- Smartcard authentication
- Not all custom SAML-applications are yet supported in Azure AD
- On-premises applications that have no reference to Azure AD, like for users that can’t be synchronized to Azure AD for compliance/security reasons
If you want to read more about how to secure your Office 365 environment with AD FS, read my latest blog post . It’s more than install and configure AD FS for your Office 365 environment. You should consider protecting your organization against password spray attacks, AD FS smart lockout, enable multi-factor authentication, and many more.
This blog will explain why passwords are weak and why you should use a password-less sign-in method to access your on-premises and cloud applications.
Why Passwords are Weak?
Also at Ignite 2018, Anand Yadav’s session BRK3226 provided numbers about global threats against Azure AD and common passwords attempted in password spray attacks:
- 29 billion authentications blocked in August 2018
- 81% of data breaches involved weak, default or stolen passwords
- Common passwords attempted in password spray attacks:
- ‘Your Company Name’
After reading these alarming numbers, you should think about to adjust your organization’s password policy, or even better, deploy a second factor authentication like Azure MFA for all your users. Additional information, like Azure AD Password protection that allows admins to prevent users from securing accounts in Azure AD and Windows Server Active Directory with weak passwords can be found in my other blog post .
An easy and simple insights in your AD FS infrastructure can be found in the Azure portal under Azure AD Connect Health, implied you did configure it. The below diagram shows bad password attempts to my Office 365 tenant:
(User ID and last failure IP removed for privacy reasons).
Configure Third-Party Authentication Providers in AD FS
AD FS 2016 introduced Azure MFA as primary authentication so that OTP (One Time Passcodes) from the Authenticator app could be used as the first factor. Building on this, with AD FS 2019 you can configure external authentication providers as primary authentication factors. There are two scenarios that can be used:
- Protect the password:
Protect your on-premises infrastructure from bad password attempts or other attacks. As you can see the huge number of failed login attempts in my screenshot above, a solution is to prompt for the external factor first and only if the external authentication is completed, the user then will see a password prompt.
- Prompting for Azure MFA or an external authentication factor as primary authentication
- Username and password as additional authentication in AD FS
Eliminate passwords entirely but use a strong, multi-factor authentication non-password based method in AD FS.
- Azure MFA with Authenticator app
- Windows 10 Hello for Business
- Certificate authentication
- External authentication providers
In AD FS 2019, the external authentication as primary capability means that every external authentication provider become available for primary authentication as well as additional authentication. Once an external provider is enabled for extranet, intranet, or both, it becomes available for users to use. If more than one method is enabled, users will see a choice page and be able to choose a primary method, just as they do for additional authentication. An example for a primary authentication with Windows Hello for Business on an external network, which requires an additional authentication method, you can choose between additional Azure MFA capabilities as shown in the following picture:
There are some prerequisites to your environment to enable external authentication providers as your primary authentication method in AD FS. More information on the prerequisites and how to configure the authentication methods can be found in this Microsoft documentation.
Microsoft did a great job and provided a lot of tools to secure your organization’s environment. Independently for which authentication solution you will decide, you have to protect your accounts for every sign-in method, no matter if it is native cloud-only authentication in Azure AD or on-premises authentication with AD FS.
Monitor AD FS with ENow
Proactively monitor AD FS from the end-users perspective with ENow's industry leading monitoring platform. ENow monitors all of your AD FS servers and performs synthetic transactions, including performing a Single-Sign-On against Office 365 from inside your organization and outside (remote tests).