The goal of this guide is to step-by-step guide walks through the implementation of Cloud Authentication in a four-step process.
Purpose of this story
Design & Migrate the Federation (ADFS) to Cloud Authentication and Seamless Single Sign-On as a replacement of Federated Authentication with Azure Active Directory.
Seamless Single Sign-on
Easy to integrate
1. Works with Password Hash Sync and Pass-through Authentication
2. Supports Alternate Login ID
Easy to administer
1. No additional on-premise infrastructure
2. Register non-Windows 10 devices without AD FS
Great user experience
SSO experience from domain-joined devices within your corporate network
Design Consideration
The following are the High-level design approach for the migration scope of this project:
· Right Cloud authentication method
· Deployment of Azure AD Connect
· Migrating any AD FS custom claims authorization rules to conditional access policies
· Configuring Multi-factor authentication (Azure MFA)
· Assigning licenses to users
· Providing detailed backup and restoration steps for AD FS
Right Authentication Method for Azure Active directory Hybrid Identify
Extending the Active Directory On-Premise to cloud identity solution, the important aspects to consider the right authentication method is first priority for any organization which will support the Apps in the cloud. Authentication is the crucial component when an organization decided their application is present in the external world and also to strengthen the security hardening.
Implementing the Authentication method is configured through Azure Active Directory Connector which will provision the directory synchronization of users in the cloud by selecting the right authentication method.
Before we will be proceeding with the migration approach, first we need to understand the different types of cloud authentication as follows-
Azure AD- Password hash synchronization (PHS): Cloud-based authentication with the same password as on-premises. The quickest way to deploy. Support seamless- SSO mechanism. Password hash polls every 2 minutes. Password remains on On-Premise as SHA256 (salt + MD4(password), 1000).
Features like Azure AD MFA, conditional Access policies, and Azure AD Identity Protection with Azure AD Premium P2 license are supported in this authentication method.
Cost of implementation — low
Scalability / Fault-Tolerance — Cloud Scalability
AZURE AD connect health monitoring — Limited
Azure AD- Password through synchronization (PTS): Cloud-based authentication with password validation from on-premises. Minimal footprint from On-Premise Seamless SSO. Organizations with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method.
Features like Protection against on-premise account lockout, conditional access policies, and On-Premise password policies, are supported
Cost of implementation — medium
Scalability / Fault-Tolerance — Cloud Scalability
AZURE AD connect health monitoring — Not integrated
Goals for cloud Authentication with Seamless Single Sign-on
Switching from federation to the Cloud method and Seamless Single Sign-on will benefit the business in the following ways:
- MANAGE COST
- ROBUST AUDITING AND USAGE TRACKING
- REDUCE COMPLEXITY AND RISK
- FLEXIBILITY AND SECURITY
Prerequisites
The latest build of AAD Connect is installed. Download the latest version of Azure AD Connect here
Implement the PHS + SSO authentication method
1) Azure AD Connect must be installed on a domain-joined Windows Server 2012 or later
2) An Azure Global Administrator account is available to configure PHS in your tenant and migrate from federated to managed.
3) A Domain Administrator account is available to configure Seamless SSO in the on-premises Active Directory.
4) Modern Authentication is enabled in your Office 365 tenant for both Exchange Online and Skype for Business Online. Please refer to this article for steps on enabling Modern Authentication.
5) Modern Authentication is enabled for any Office 2013 clients.
Implement PTA + SSO authentication method
1) Port 80/443/8080 outbound from the AAD connect server and any other servers where you plan to install the PTA agent
2) If your AAD Connect server behind the firewall or proxy lets you add DNS entries to an allow list, add connections to *.msappproxy.net and *.servicebus.windows.net. If not, allow access to the Azure data center IP ranges, which are updated weekly.
3) Open your firewall for the following URLs as in where the Server with Authentication Agents needs access to login.windows.net and login.microsoftonline.com for initial registration.
Note: For most customers, two or three authentication agents are sufficient for high availability and capacity, and a tenant can have no more than 12 agents registered. The first agent is always installed on the AAD Connect server itself.
4) Azure AD Connect must be installed on a domain-joined Windows Server 2012 or later
5) An Azure Global Administrator account is available to configure PHS in your tenant and migrate from federated to managed.
6) A Domain Administrator account is available to configure Seamless SSO in the on-premises Active Directory.
7) Modern Authentication is enabled in your Office 365 tenant for both Exchange Online and Skype for Business Online. Please refer to this article for steps on enabling Modern Authentication.
8) Modern Authentication is enabled for any Office 2013 clients.
Planning
Deployment Strategy
Deployment stages are depended on the environment in that you are available, Suppose the environment has Azure Non-Prod Tenant, then plan the migration with definite proof of Concept (POC) outside of your production environment –
Migration Method
There are two methods to migrate from federated authentication to Cloud Managed (PHS or PTA and Seamless SSO)
1) Using Azure AD Connect
2) Using Azure AD Connect with PowerShell
To understand what method you should use, perform the steps on the following section.
Verify Current User Sign-in settings
Verify your current user sign-in settings by logging into the Azure AD portal https://aad.portal.azure.com with a Global Administrator account.
In the User Sign-In section, verify that Federation is Enabled and that Seamless Single Sign-on and Pass-through Authentication are Disabled.
Verify How Federation was Configured
1. Go to your Azure AD Connect server and launch Azure AD Connect, then select Configure.
2. On the Additional Tasks screen, select View Current Configuration and then select Next.
Understand Current Federation Settings
You can find the current federation setting by running the Get-MsolDomainFederationSettings cmdlet.
For example:
Get-MsolDomainFederationSettings -DomainName rameshseshadri.com | fl *
Backup Federation Settings
Using the free Microsoft AD FS Rapid Restore Tool. This tool can be used to backup and restore AD FS, either to an existing farm, or a new farm
Microsoft recommends: please don’t shut down the AD FS environment or remove the Office 365 relying upon party trust until you have verified all users are successfully authenticating using cloud authentication.
Implement
Now that you have planned your solution, you are ready to implement it.
Solution Consideration
Implementation includes the following components:
1. Preparing for Seamless Single Sign-on
2. Changing the sign-in method to either Pass-hash synchronization or Pass-through Authentication with enabling Seamless SSO
Prepare for Seamless SSO
To Configure Seamless SSO for intranet users, you need to add an Azure AD URL to the users’ Intranet zone settings by using Group Policy in Active Directory.
Change sign-in method [ PHS or PTA & SSO)
Selection A: Configuring Pass-Hash synchronization Authentication by using Azure AD Connect
If the method was designed using AD FS using Azure AD Connect, then the following procedure will be very helpful to complete the migration solution, else ignore this procedure if cannot use this method through AD FS was not originally configured using Azure AD Connect.
Change the user Sign-in method
1) On the Azure AD Connect Server, open the wizard.
2) Select Change User Sign in and then select Next.
3) In the Connect to Azure AD screen provide the username and password of a Global Administrator.
4) The User Sign-in screen, change the radio button from Federation with AD FS to Pass-Hash Synchronization Authentication, select Enable single sign-on then select Next.
5) In Enable Single Sign-on screen, enter the credentials of the Domain Administrator account, then select Next.
6) In the Ready to Configure screen, make sure the “Start Synchronization process when configuration completes” checkbox is selected. Then select Configure.
Post Validation
1) Open the Azure AD portal, select Azure Active Directory, and then select Azure AD Connect.
Verify that that Federation is Disabled while Seamless single sign-on and Pass-Hash synchronization
Selection B: Configuring Pass-through Authentication by using Azure AD Connect
If the method was designed using AD FS using Azure AD Connect, then the following procedure will be very helpful to complete the migration solution, else ignore this procedure if cannot use this method through AD FS was not originally configured using Azure AD Connect.
Change the user Sign-in method
1) On the Azure AD Connect Server, open the wizard.
2) Select Change User Sign in and then select Next.
3) In the Connect to Azure AD screen provide the username and password of a Global Administrator.
4) On The User Sign-in screen, change the radio button from Federation with AD FS to Pass-through Authentication, select Enable single sign-on then select Next.
5) In Enable Single Sign-on screen, enter the credentials of the Domain Administrator account, then select Next.
6) In the Ready to Configure screen, make sure the “Start Synchronization process when configuration completes” checkbox is selected. Then select Configure.
Post Validation
1) Open the Azure AD portal, select Azure Active Directory, and then select Azure AD Connect.
2) Verify that Federation is Disabled while Seamless single sign-on and Pass-thorough authentication are Enabled.
Test Pass-hash / through Authentication
When your tenant was using federation, users were getting redirected from the Azure AD login page to your AD FS environment. Now that the tenant is configured to use either Pass-Hash synchronization / Pass-through Authentication instead of the federation, users will not get redirected to AD FS and instead will log in directly through the Azure AD Login page.
Thanks for reading!
Ramesh Seshadri
