When Active Directory on-premises and Azure AD work together, it’s called Hybrid Identity. Hybrid Identity is relatively easy to setup, when you use the Express Settings for Azure AD Connect. However, setting up Hybrid Identity with Active Directory Federation Services (AD FS) is not that hard either.
I’ll show you how to achieve this goal in this blogpost.
Why choose AD FS?
Active Directory Federation Services (AD FS) used to be the only authentication method available, before password hash synchronization (PHS), pass-through authentication (PTA) and Azure AD Connect Cloud Sync became available.
Even today, AD FS offers a couple of advantages over the other authentication methods:
- AD FS offers certificate authentication
- AD FS offers Alternate Login ID functionality
- AD FS offers the use of 3rd party multi-factor authentication for many of the popular multi-factor authentication providers.
- Auditing AD FS is straight-forward and integrates with all major security incident and event management (SIEM) solutions.
The biggest reason organizations choose AD FS as the authentication method for Azure AD, of course, is they already have AD FS running with a bazillion apps integrated with it. Today, however,I’ll focus on the scenario where an admin wants to setup an initial AD FS farm.
Requirements
To complete the steps below, you’ll need to meet the following requirements:
- You’ll need an account with Global administrator or Hybrid Identity administrator privileges in your Azure AD tenant. Use an account that is not configured with a UPN
- You’ll need an account with membership to the Enterprise Admins group in your Active Directory.
- You’ll need local administrator credentials on each of the below mentioned servers.
- You’ll need a Windows Server installation with Desktop Experience (so not a Server Core installation) that is domain-joined to your Active Directory domain. This will become the server on which we install Azure AD Connect.
- One proposed AD FS server. This server may run Server Core. This server needs to be domain-joined.
- One proposed Web Application Proxy server. This server may run Server Core. This server can be domain-joined, but does not need to be. Microsoft’s guidance is to place this server on a perimeter network. If the Web Application Proxy server is not to be domain-joined, perform these additional steps.
- The server that will run Azure AD Connect and the AD FS server needs access to the Domain Controller(s) for your Active Directory domain. Their network connections need to meet the network port requirements for Active Directory. These connections may not be NATed.
- The server that will run Azure AD Connect needs to be able to reach the Azure AD URLs. Configure Azure AD Connect to use a proxy, if needed.
- The proposed AD FS server needs to be able to communicate to Azure AD to exchange metadata. Configure https://nexus.microsoftonline-p.com as an allowed URL.
- The Web Application Proxy server will need to be accessible from the Internet on ports TCP80, TCP443 and TCP49443. This servers needs to be able to access the AD FS server on port TCP443.
- The Azure AD Connect server needs to be able to access the proposed AD FS server and the proposed Web Application Proxy using TCP5981.
- You need to create an A or CNAME record in the internal DNS zone for your organization to point the AD FS farm name (for instance sts.domain.tld) to the proposed AD FS server.
- You need to create an A or CNAME record in the external DNS zone for your organization to point the AD FS farm name to the external IP address of the proposed Web Application Proxy.
- You need to have the DNS domain name that you want to federate with AD FS as a verified DNS domain name in Azure AD.
- You need a valid TLS certificate with the DNS name of the AD FS farm (for instance sts.domain.tld), that includes the private key. The certificate needs to be saved as a *.pfx file.
Preparing the Azure AD Connect server
Assuming the Windows Server installation is prepared with all required information security measures, we can prepare it further for its purpose as Azure AD Connect server.
Note:
The steps in this part of the manual are based on Windows Server 2019. Several steps may appear differently on older and newer versions of Windows Server.
Perform these steps on the Windows Server that will run Azure AD Connect:
Disable the Internet Explorer Enhanced Security Configuration (IE ESC)
Internet Explorer Enhanced Security Configuration (IE ESC) is one of the default security features on Windows Server. However, we need to disable this feature to be able to:
- Download Azure AD Connect.
- Sign in to the previously created Azure AD tenant.
Perform the following steps:
- Sign into the Windows Server that is to run Azure AD Connect.
- Close the Server Manager pop-up informing you about Windows Admin Center.
- In the left navigation pane of Server Manager, click Local Server.
- In the Properties field for the server, click the link labeled IE Enhanced Security Configuration. It is located in the right column of properties.
The Internet Explorer Enhanced Security Configuration pop-up appears. - Turn the feature Off for Administrators.
- Click OK.
Enable the Active Directory Recycle Bin
It is convenient to have the Active Directory administration tools, so we’ll install them and then use them to enable the Active Directory Recycle Bin:
- While still in Server Manager, click on Manage in the top gray navigation bar.
- From the Manage menu, click Add Roles and Features.
The Add Roles and Features Wizard appears. - Click the Next > button on the Before you begin screen.
- Click the Next > button on the Select installation type screen.
- Click the Next > button on the Select destination server screen.
- Click the Next > button on the Select server roles screen.
- On the Select features screen, scroll down the list of available features, until you reach the Remote Server Administration Tools.
- Expand the Remote Server Administration Tools node.
- Expand the Role Administration Tools node.
- Select the AD DS and AD LDS Tools.
- Click the Next > button.
- Click the Install button on the Confirm installation selections screen.
- When installation is done, click the Close button.
- While still in Server Manager, click on Tools in the top gray navigation bar.Click the Active Directory Administrative Center from the Tools menu. It is at the top.
The Active Directory Administrative Center window opens. - In the left navigation pane, click on your domain name.
- In the right Tasks pane, click the Enable Recycle Bin… task.
The Enable Recycle Bin Confirmation pop-up appears. - Click OK.
Another pop-up appears. - Click OK.
- Close the Active Directory Administrative Center window.
Download Azure AD Connect
Now, let’s download Azure AD Connect, so we can start creating some actual Hybrid Identity goodness:
- Open Internet Explorer from the Start bar.
- In the Internet Explorer 11 pop-up, click OK to use the recommended settings.
- In the address bar of Internet Explorer, type download azure ad connect.
- Press the Enter button. This will initiate a search with Bing.
- Click the search result to the download link from Microsoft.
- Click the Download link.
- From the bottom of the Internet Explorer window, a blade appears with options for the download. Click Save.
Azure AD Connect will now be downloaded. - Click Open Folder.
A File Explorer window opens in the Downloads folder for the signed-in user. - Close Internet Explorer.
Copy the TLS certificate
The last requirement for the Azure AD Connect server is the TLS certificate. Copy its *.pfx file to a file location on the Windows Server that will run Azure AD Connect.
Configuring Azure AD Connect
The environment is now prepared. Let’s configure Hybrid Identity!
Note:
The steps in this part of the manual are based on Azure AD Connect version 1.5.45.0. Several steps may appear differently on newer versions of Azure AD Connect.
Perform these steps on the Windows Server that will run Azure AD Connect:
- Double-click the AzureADConnect.msi file.
The Microsoft Azure Active Directory Connect window appears:
- On the Welcome to Azure AD Connect screen, select the I agree to the license terms and privacy notice. option.
- Click the Continue button.
- On the Express Settings screen, click the Customize button:
- On the Install required components screen, click the Install button.
- Wait while Azure AD Connect is installed. This may take several minutes.
- On the User sign-in page, select Federation with AD FS as the sign-in method.
- Click Next.
- On the Connect to Azure AD screen, enter the Username and Password for the Azure AD account you created earlier. Type the complete username including the .onmicrosoft.com part:
- Click the Next button.
Perform multi-factor authentication when prompted. - On the Connect your directories page, click the Add Directory button to add your Active Directory forest to the scope of Azure AD Connect. The forest name is automatically gathered from the domain membership of the Windows Server installation, but we need to specify the settings for the service account.
The AD forest account dialog appears:
- Select the Create a new AD account option.
- Specify the credentials of the Enterprise Admin account to allow Azure AD Connect to create the service account it needs to connect to Active Directory. The Enterprise Admin credentials are only used to create the account and are not cached or stored by Azure AD Connect.
- Click OK.
- The Active Directory Forest name now appears in the list of Configured directories.
- Click Next.
- On the Azure AD sign-in configuration screen, verify that the DNS domain name has the status Verified. Also accept the userPrincipalName attribute as the on-premises attribute to use as the Azure AD username.
- Click the Next button.
- Click the Next button on the Domain and OU filtering screen.
- Click the Next button on the Uniquely identifying your users screen:
- Click Next on the Filter users and devices screen.
- Click Next on the Optional features screen.
- On the Domain Administrator credentials screen, enter the Username and Password of an Active Directory account with memberships in the Domain Admins or Enterprise Admins group.
- Click the Next button.
- On the AD FS farm screen, choose the Configure a new AD FS Farm option.
- Click the Browse button.
- Navigate to the *.pfx file that you copied earlier.
- Click Open.
The Certificate password dialog appears. - Type the password for the *.pfx file.
- Click OK.
- Click Next.
- On the AD FS server screen, click the Browse button.
The Select Federation Server dialog window appears. - In the Select Federation Server dialog window, search for the AD FS server.
- Select the proposed AD FS server from the search results.
- Click OK.
- On the AD FS server screen, click the Next button.
- On the Web Application Proxy server screen, click the Browse button.
The Select Web Application Proxy dialog window appears. - In the Select Web Application Proxy dialog window, search for the Web Application Proxy.
- Select the proposed Web Application Proxy from the search results.
- Click OK.
On the Web Application Proxy server screen, click the Next button.
- On the AD FS service account page, provide the credentials of an Enterprise Admin account in the following format.
- Click the Next button.
- On the Azure AD domain screen, use the pull down menu to select your AD domain.
- Click Next.
- On the Ready to configure screen, click the Install button:
- On the Configuration complete screen, click the Next button.
- On the Verify federation connectivity screen, enable the I have created DNS A records that allow clients to resolve my federation service from the extranet. option, too.
- Click the Verify button.
- On the Verify federation connectivity screen examine the outcome of the verification check.
- Click Exit.
Concluding
With the above steps, after meeting the requirements, you can have an AD FS farm, allowing people in your organization to authenticate to Azure AD, running within half an hour.
Login