New Azure Active Directory resilience features: action required

First published on CloudBlogs on Oct, 27 2017
Howdy folks, If you are federating a separate identity system with your Azure Active Directory tenant, such as Active Directory Federation Server (ADFS), this blog post is for you! We’re totally committed to maximizing Azure Active Directory service availability. As part of that commitment we’re adding more resilience features over the coming months. For most users, especially those who authenticate directly with Azure Active Directory, these benefits are completely transparent and just automatically deliver more reliability. However, organizations that use another identity system federated to Azure Active Directory for user authentication will need to make some configuration changes to see the benefits. This post will provide you with the information you need to make the necessary changes and take full advantage of these enhancements. The new Azure Active Directory features will enable an additional layer of failover. I'll blog more about these new features in the coming weeks, but if you want to get them benefits of the extra availability they provide, your federation server needs to be configured to accept requests from additional URLs. If these URLs are not configured there is no impact compared with today, but the users of the federated system won’t see the additional resilience benefits.

Running ADFS with AD Connect?

If you are running ADFS and an up-to-date version of AD Connect then AD Connect will make these changes for you and you don’t need to take any action. You can use the information in this post, however, to check that the ADFS configuration has been updated.

ADFS without AD Connect?

If you are running ADFS without AD Connect or a different IdP federated to AAD, you will need to make the configuration changes yourself, and you can do that now, so your systems are ready to go. Below you’ll find:
  • The new URLs that should be configured as valid endpoints on Identity Providers federated with AAD
  • Specific instructions for manually making the configuration changes to ADFS
  • How to check that your ADFS configuration has been updated if you have AD Connect set up in your environment
  • How to roll-back the ADFS changes (if you need to)

New endpoints required in Relying Party Trust Configuration

Your federated identity provider will need to handle the following set of reply URLs in the Relying Party Trust configuration: https://stamp2.login.microsoftonline.com/login.srf https://ccs.login.microsoftonline.com/ccs/login.srf https://ccs-sdf.login.microsoftonline.com/ccs/login.srf

Specific instructions to update ADFS

Use PowerShell to update your ADFS configuration. This needs to be done on one ADFS node. For Windows 2008 and earlier systems you may need to load the ADFS powershell module if you haven’t already done so. $rp = Get-AdfsRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline $endpoints = New-Object System.Collections.ArrayList if ( $rp.AdditionalWSFedEndpoint ) { $rp.AdditionalWSFedEndpoint | %{$endpoints.add($_)} } $endpoints.add(" https://stamp2.login.microsoftonline.com /login.srf") $endpoints.add(" https://ccs.login.microsoftonline.com /ccs/login.srf") $endpoints.add(" https://ccs-sdf.login.microsoftonline.com/ccs/login.srf ") set-adfsrelyingpartytrust -targetname $rp.Name -AdditionalWSFedEndpoint $endpoints

Checking your ADFS configuration

To verify current settings use the PowerShell command: Get-AdfsRelyingPartyTrust

Rolling back

If you need to roll back your changes for any reason, here’s how to do that in PowerShell: $rp = Get-AdfsRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline $endpoints = New-Object System.Collections.ArrayList if ( $rp.AdditionalWSFedEndpoint ) { $rp.AdditionalWSFedEndpoint | %{$endpoints.add($_)} } $endpoints.remove("https://stamp2.login.microsoftonline.com/login.srf") $endpoints.remove("https://ccs.login.microsoftonline.com/ccs/login.srf") $endpoints.remove("https://ccs-sdf.login.microsoftonline.com/ccs/login.srf") set-adfsrelyingpartytrust -targetname $rp.Name -AdditionalWSFedEndpoint $endpoints

Wrapping up

We strongly encourage you to take advantage of these changes to maximize the reliability of your system. Have feedback or thoughts about these changes? We’d like to hear them. Please share with us in the comments below. We look forward to hearing from you! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division Update 11/1/17: Corrected Get-AdfsRelyingPartyTrust syntax to -Identifier from -Name and added version of AD Connect required for auto-update of relying party trust .