Microsoft keeps adding and enhancing features in Office 365 and Azure which help simplify and reduce the dependency of on-premises resources. Every-so-often, you need to take a look at what they’ve done and see if what you are currently doing today is still what’s best for your organization. A few recent enhancements have made it possible to replace ADFS in many of our client’s environments.
Why did people have ADFS in the past?
- Federation with Office 365
- Federation with other companies (such as Concur)
- To reduce authentication prompts when accessing those federation resources
What were some of the challenges of ADFS?
- Server maintenance and costs
- You frequently had 4 servers for high availability in the mid-market space
- Cost of a 3rd party certificate
- Certificate handling
- Sometimes you weren’t aware as to when certificates were expiring and were left scrambling to fix an issue
- Complexity of putting restrictions in place for granting access to particular groups
What are the solutions?
- To reduce the authentication prompts:
- Look at Azure Activity Directory Seamless Single Sign-On. This will allow your users to authenticate to Azure AD from domain-joined PCs without having to type in their password. The end-user experience is similar to ADFS.
- To federate with other companies:
- Make use of Azure Active Directory Enterprise Applications to register your SAML applications. You can set alerts inside of this for when certificates are expiring so you are given a heads-up for any remediation that may be coming.
What are the benefits?
- Reduced infrastructure costs: servers, certificates, etc.
- Reduced maintenance costs: server patching, backups, OS upgrades, certificates again, etc.
- No dependency of on-premises resources for getting into Office 365 or federated companies. If your internet connection is down, building loses power, etc., you can still authenticate to Office 365 as usual.
- Security exposure is handled by Microsoft’s authentication services. Your infrastructure won’t be targeted, looking for weakness, vulnerabilities, etc.
- Ability to leverage automatic user provisioning with some vendors, such as Dropbox.
- Improved fault tolerance. The number of servers, load balancers, power, location, Internet connections…it’ll be better.
Why you may still want ADFS:
- You have logging requirements where you need to see the logs against your Domain Controllers, and don’t have ability to pull Azure sign-in activity logs
- You have time-of-day restrictions on user accounts (certain staff can only login from 7am-6pm for example)
- You have an application that installs components onto the ADFS server or has some non-standard requirements
There are a number of other features to take advantage of such as conditional access, risk-based authentication, and Azure AD Application Proxy. If you need help moving from ADFS, need any other authentication assistance, or would like to learn more, email info@peters.com. We are happy to help.