Forum Discussion
Questions on on-prem ADFS migration to Azure MFA
Hi Experts,
One of our customer currently has the below environment:
- Currently we’ve on-prem Windows 2016 ADFS – SSO installed.
- Conditional access has been enabled for External users.
- Hybrid is enabled and MFA is also enabled in Azure Active directory.
Current behavior:
If someone browses admin.microsoft.com,
The request will hit on-prem ADFS and apply conditional access (If it is external users then it’ll prompt for MFA else it won’t). MFA is currently enabled in Azure Active directory.
The behavior we want to achieve is,
If someone browses admin.microsoft.com,
The request should hit Azure AD MFA irrespective of internal/external users and get rid of on-prem ADFS-SSO.
How can we achieve it?
Any inputs would be of great help!
- Michael TangBrass Contributor
Get rid of on-premises ADFS-SSO? Not sure if you mean migrate from ADFS to PHS or PTA.
If you want to keep ADFS and use Azure MFA. Then you need to configure Azure MFA as an authentication provider for ADFS. You should check if other services are using ADFS, some applications don't support certain Azure MFA authentication methods, like no prompt for TOTP or no notification to check your Authenticator app for approval.
- NewlifeBrass Contributor
Michael Tang - Thank you very much Michael for your inputs.
Here, the context is customer would like to get rid of ADFS and only use Azure AD SSO with Azure MFA.
Please advise. Many thanks in advance.
- Michael TangBrass Contributor
In a nut shell.
Decide if you want to sync passwords or use pass-thru authentication for Azure AD Authentication. If your organization doesn't want to store password hashes in cloud use PTA.
If it's PHS, I would first start by enabling Password Hash Sync in Azure AD Connect Sync Optional Features.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup
Once you verify you have Password Hash Sync working properly in the portal.
You can run Azure AD Connect again and change the sign-in options, to PHS and convert from federated to managed authentication.
Depending on the number of objects you sync, It could be quick or take a bit of time to convert.
I would take a look through this.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/
- Waqas_Ali2014Copper Contributor