Required changes to your ADFS environment (related to #AzureAD)

November 7, 2017 Chris Spanougakis No comments exist

As the Azure AD product group plans to implement some new features related to service availability, you should make some changes if you use another identity system federated to Azure Active Directory for user authentication. If you authenticate directly with Azure AD, you don’t need to change anything.

The new Azure Active Directory features will enable an additional layer of failover. We’ll get more details related to this in the near future, but for now your federation server needs to be configured to accept requests from additional URLs. If these URLs are not configured there is no impact compared with today, but the users of the federated system won’t see the additional resilience benefits.

 

1. Running ADFS with AD Connect
If you are running ADFS and an up-to-date version of AD Connect then AD Connect will make these changes for you and you don’t need to take any action. You can use the information in this post, however, to check that the ADFS configuration has been updated.

2. ADFS without AD Connect
If you are running ADFS without AD Connect or a different IdP federated to AAD, you will need to make the configuration changes yourself, and you can do that now, so your systems are ready to go.

 

So let’s see what do you need to change.

1. New endpoints required in Relying Party Trust Configuration
You need to use the following set of reply URLs in the Relying Party Trust configuration:

https://stamp2.login.microsoftonline.com/login.srf
https://ccs.login.microsoftonline.com/ccs/login.srf
https://ccs-sdf.login.microsoftonline.com/ccs/login.srf

 

2. What do you need to do to update ADFS
One one ADFS node you should run the following PowerShell commands. If you use Windows 2008 and earlier systems you may need to load the ADFS powershell module:

$rp = Get-AdfsRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline

$endpoints = New-Object System.Collections.ArrayList

if ( $rp.AdditionalWSFedEndpoint ) { $rp.AdditionalWSFedEndpoint | %{$endpoints.add($_)} }

$endpoints.add(“https://stamp2.login.microsoftonline.com/login.srf”)

$endpoints.add(“https://ccs.login.microsoftonline.com/ccs/login.srf”)

$endpoints.add(“https://ccs-sdf.login.microsoftonline.com/ccs/login.srf”)

set-adfsrelyingpartytrust -targetname $rp.Name -AdditionalWSFedEndpoint $endpoints

 

Then, to verify current settings use the PowerShell command:

Get-AdfsRelyingPartyTrust

 

What if you want to roll back your changes for any reason? Run these commands:

$rp = Get-AdfsRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline

$endpoints = New-Object System.Collections.ArrayList

if ( $rp.AdditionalWSFedEndpoint ) { $rp.AdditionalWSFedEndpoint | %{$endpoints.add($_)} }

$endpoints.remove(“https://stamp2.login.microsoftonline.com/login.srf”)

$endpoints.remove(“https://ccs.login.microsoftonline.com/ccs/login.srf”)

$endpoints.remove(“https://ccs-sdf.login.microsoftonline.com/ccs/login.srf”)

set-adfsrelyingpartytrust -targetname $rp.Name -AdditionalWSFedEndpoint $endpoints

 

Thanks for your time!

Leave a Reply

Your email address will not be published. Required fields are marked *