Microsoft keeps adding and enhancing features in Office 365 and Azure which help simplify and reduce the dependency of on-premises resources.   Every-so-often, you need to take a look at what they’ve done and see if what you are currently doing today is still what’s best for your organization.  A few recent enhancements have made it possible to replace ADFS in many of our client’s environments.

Why did people have ADFS in the past?

  • Federation with Office 365
  • Federation with other companies (such as Concur)
  • To reduce authentication prompts when accessing those federation resources

What were some of the challenges of ADFS?

  • Server maintenance and costs
    • You frequently had 4 servers for high availability in the mid-market space
    • Cost of a 3rd party certificate
  • Certificate handling
    • Sometimes you weren’t aware as to when certificates were expiring and were left scrambling to fix an issue
  • Complexity of putting restrictions in place for granting access to particular groups

What are the solutions?

  • To reduce the authentication prompts:
  • To federate with other companies:
    • Make use of Azure Active Directory Enterprise Applications to register your SAML applications. You can set alerts inside of this for when certificates are expiring so you are given a heads-up for any remediation that may be coming.

What are the benefits?

  • Reduced infrastructure costs: servers, certificates, etc.
  • Reduced maintenance costs: server patching, backups, OS upgrades, certificates again, etc.
  • No dependency of on-premises resources for getting into Office 365 or federated companies. If your internet connection is down, building loses power, etc., you can still authenticate to Office 365 as usual.
  • Security exposure is handled by Microsoft’s authentication services. Your infrastructure won’t be targeted, looking for weakness, vulnerabilities, etc.
  • Ability to leverage automatic user provisioning with some vendors, such as Dropbox.
  • Improved fault tolerance. The number of servers, load balancers, power, location, Internet connections…it’ll be better.

Why you may still want ADFS:

  • You have logging requirements where you need to see the logs against your Domain Controllers, and don’t have ability to pull Azure sign-in activity logs
  • You have time-of-day restrictions on user accounts (certain staff can only login from 7am-6pm for example)
  • You have an application that installs components onto the ADFS server or has some non-standard requirements

There are a number of other features to take advantage of such as conditional access, risk-based authentication, and Azure AD Application Proxy.  If you need help moving from ADFS, need any other authentication assistance, or would like to learn more, email info@peters.com. We are happy to help.