cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Questions on on-prem ADFS migration to Azure MFA

Newlife
Brass Contributor

‎Mar 18 2020 03:34 AM

‎Mar 18 2020 03:34 AM

Questions on on-prem ADFS migration to Azure MFA

Hi Experts, 

One of our customer currently has the below environment:

 

  • Currently we’ve on-prem Windows 2016 ADFS – SSO installed.
  • Conditional access has been enabled for External users.
  • Hybrid is enabled and MFA is also enabled in Azure Active directory.

 

Current behavior:

 

If someone browses admin.microsoft.com,

 

The request will hit on-prem ADFS and apply conditional access (If it is external users then it’ll prompt for MFA else it won’t). MFA is currently enabled in Azure Active directory.

 

The behavior we want to achieve is,

 

If someone browses admin.microsoft.com,

 

The request should hit Azure AD MFA irrespective of internal/external users and get rid of on-prem ADFS-SSO.

 

How can we achieve it?

 

Any inputs would be of great help!

2,390 Views
0 Likes
4 Replies
Reply
4 Replies
Michael Tang

‎Mar 21 2020 11:42 AM

‎Mar 21 2020 11:42 AM

Re: Questions on on-prem ADFS migration to Azure MFA

@Newlife 

 

Get rid of on-premises ADFS-SSO? Not sure if you mean migrate from ADFS to PHS or PTA. 

 

If you want to keep ADFS and use Azure MFA. Then you need to configure Azure MFA as an authentication provider for ADFS.  You should check if other services are using ADFS, some applications don't support certain Azure MFA authentication methods, like no prompt for TOTP or no notification to check your Authenticator app for approval.

 

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-...

 

 

0 Likes
Reply
Newlife

‎Mar 30 2020 04:44 AM

‎Mar 30 2020 04:44 AM

Re: Questions on on-prem ADFS migration to Azure MFA

@Michael Tang - Thank you very much Michael for your inputs. 

 

Here, the context is customer would like to get rid of ADFS and only use Azure AD SSO with Azure MFA.

 

Please advise. Many thanks in advance. 

0 Likes
Reply
Michael Tang

‎Mar 31 2020 12:14 AM

‎Mar 31 2020 12:14 AM

Re: Questions on on-prem ADFS migration to Azure MFA

@Newlife 

 

In a nut shell.

Decide if you want to sync passwords or use pass-thru authentication for Azure AD Authentication.  If your organization doesn't want to store password hashes in cloud use PTA.

 

If it's PHS, I would first start by enabling Password Hash Sync in Azure AD Connect Sync Optional Features. 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup

 

Once you verify you have Password Hash Sync working properly in the portal.

You can run Azure AD Connect again and change the sign-in options, to PHS and convert from federated to managed authentication.

 

Depending on the number of objects you sync, It could be quick or take a bit of time to convert. 

 

I would take a look through this.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/

 

 

 

0 Likes
Reply
Waqas_Ali2014

‎Mar 14 2021 09:53 PM

‎Mar 14 2021 09:53 PM

Re: Questions on on-prem ADFS migration to Azure MFA

Hi @Newlife
Did you get a solution of it? if yes kindly share it.
Thnaks
0 Likes
Reply