Still have ADFS? Time to reconsider.

by | Mar 21, 2018 | Infrastructure | 0 comments

Microsoft keeps adding and enhancing features in Office 365 and Azure which help simplify and reduce the dependency of on-premises resources.   Every-so-often, you need to take a look at what they’ve done and see if what you are currently doing today is still what’s best for your organization.  A few recent enhancements have made it possible to replace ADFS in many of our client’s environments.

Why did people have ADFS in the past?

  • Federation with Office 365
  • Federation with other companies (such as Concur)
  • To reduce authentication prompts when accessing those federation resources

What were some of the challenges of ADFS?

  • Server maintenance and costs
    • You frequently had 4 servers for high availability in the mid-market space
    • Cost of a 3rd party certificate
  • Certificate handling
    • Sometimes you weren’t aware as to when certificates were expiring and were left scrambling to fix an issue
  • Complexity of putting restrictions in place for granting access to particular groups

What are the solutions?

  • To reduce the authentication prompts:
  • To federate with other companies:
    • Make use of Azure Active Directory Enterprise Applications to register your SAML applications. You can set alerts inside of this for when certificates are expiring so you are given a heads-up for any remediation that may be coming.

What are the benefits?

  • Reduced infrastructure costs: servers, certificates, etc.
  • Reduced maintenance costs: server patching, backups, OS upgrades, certificates again, etc.
  • No dependency of on-premises resources for getting into Office 365 or federated companies. If your internet connection is down, building loses power, etc., you can still authenticate to Office 365 as usual.
  • Security exposure is handled by Microsoft’s authentication services. Your infrastructure won’t be targeted, looking for weakness, vulnerabilities, etc.
  • Ability to leverage automatic user provisioning with some vendors, such as Dropbox.
  • Improved fault tolerance. The number of servers, load balancers, power, location, Internet connections…it’ll be better.

Why you may still want ADFS:

  • You have logging requirements where you need to see the logs against your Domain Controllers, and don’t have ability to pull Azure sign-in activity logs
  • You have time-of-day restrictions on user accounts (certain staff can only login from 7am-6pm for example)
  • You have an application that installs components onto the ADFS server or has some non-standard requirements

There are a number of other features to take advantage of such as conditional access, risk-based authentication, and Azure AD Application Proxy.  If you need help moving from ADFS, need any other authentication assistance, or would like to learn more, email We are happy to help.