Still have ADFS? Time to reconsider.

Microsoft keeps adding and enhancing features in Office 365 and Azure which help simplify and reduce the dependency of on-premises resources. Every-so-often, you need to take a look at what they’ve done and see if what you are currently doing today is still what’s best for your organization. A few recent enhancements have made it possible to replace ADFS in many of our client’s environments.

Why did people have ADFS in the past?

Federation with Office 365
Federation with other companies (such as Concur)
To reduce authentication prompts when accessing those federation resources

What were some of the challenges of ADFS?

Server maintenance and costs
- You frequently had 4 servers for high availability in the mid-market space
- Cost of a 3^rd party certificate
Certificate handling
- Sometimes you weren’t aware as to when certificates were expiring and were left scrambling to fix an issue
Complexity of putting restrictions in place for granting access to particular groups

What are the solutions?

To reduce the authentication prompts:
- Look at Azure Activity Directory Seamless Single Sign-On. This will allow your users to authenticate to Azure AD from domain-joined PCs without having to type in their password. The end-user experience is similar to ADFS.
To federate with other companies:
- Make use of Azure Active Directory Enterprise Applications to register your SAML applications. You can set alerts inside of this for when certificates are expiring so you are given a heads-up for any remediation that may be coming.

What are the benefits?

Reduced infrastructure costs: servers, certificates, etc.
Reduced maintenance costs: server patching, backups, OS upgrades, certificates again, etc.
No dependency of on-premises resources for getting into Office 365 or federated companies. If your internet connection is down, building loses power, etc., you can still authenticate to Office 365 as usual.
Security exposure is handled by Microsoft’s authentication services. Your infrastructure won’t be targeted, looking for weakness, vulnerabilities, etc.
Ability to leverage automatic user provisioning with some vendors, such as Dropbox.
Improved fault tolerance. The number of servers, load balancers, power, location, Internet connections…it’ll be better.

Why you may still want ADFS:

You have logging requirements where you need to see the logs against your Domain Controllers, and don’t have ability to pull Azure sign-in activity logs
You have time-of-day restrictions on user accounts (certain staff can only login from 7am-6pm for example)
You have an application that installs components onto the ADFS server or has some non-standard requirements

There are a number of other features to take advantage of such as conditional access, risk-based authentication, and Azure AD Application Proxy. If you need help moving from ADFS, need any other authentication assistance, or would like to learn more, email info@peters.com. We are happy to help.

By John Fedor|2018-12-18T11:50:01-05:00March 21st, 2018|Advisory Services|Comments Off

About the Author: John Fedor

John has been with Peters & Associates for over two decades. Over the years, John has diligently worked on the delivery of solutions matched to organizational business issues. As technologies have evolved, John has adapted skill-sets to continually exceed customer expectations and outcomes. John is a DePaul University alum with a Master’s in Computer Science with minors in Math and Physics. John’s capabilities are validated by industry certifications and accolades including CISSP, CCNP, MCSE, and many others. John has primary mentoring and managerial responsibilities over a dedicated engineering staff. With client satisfaction as a guiding star, John aligns delivery, escalation, consistency, and on-going training to make sure customers receive value day-in, day-out.