Deploying ADFS and Azure for Seamless Identity Management

Author

Reads 526

Computer server in data center room
Credit: pexels.com, Computer server in data center room

ADFS, or Active Directory Federation Services, is a single sign-on solution that allows users to access multiple applications and resources with a single set of credentials.

It's a crucial component in modern identity management, and when combined with Azure, it becomes a powerful tool for seamless identity management.

Azure Active Directory (Azure AD) can be integrated with ADFS to provide a more robust identity management solution.

This integration allows for the synchronization of user identities between ADFS and Azure AD, enabling users to access cloud-based applications and resources without the need for additional credentials.

Design and Configuration

To design and configure your AD FS infrastructure in Azure, you should deploy AD FS on separate servers to avoid affecting the performance of your domain controllers.

You'll also need to deploy web application proxy (WAP) servers so that users can reach the AD FS when they aren't on the company network. This is a crucial step to ensure seamless access to your organization's web applications.

Credit: youtube.com, Azure AD - #3 - Azure ADFS

For high availability, we recommend using an internal load balancer for AD FS servers and Azure Load Balancer for web application proxy servers. This setup ensures that at least one server is available during planned or unplanned maintenance events.

To provide redundancy, group two or more virtual machines (VMs) in an availability set for similar workloads. This configuration ensures that during a maintenance event, at least one VM is available.

Here are some key design principles to keep in mind:

  • Deploy AD FS on separate servers
  • Deploy web application proxy servers in the DMZ with only TCP/443 access
  • Use an internal load balancer for AD FS servers and Azure Load Balancer for web application proxy servers
  • Group VMs in an availability set for similar workloads

Design Principles

When designing your AD FS infrastructure in Azure, it's essential to follow some basic principles to ensure high availability and performance.

Deploy AD FS on separate servers to avoid affecting the performance of your domain controllers.

To provide redundancy to your AD FS deployment, group two or more virtual machines (VMs) in an availability set for similar workloads. This configuration ensures that during either a planned or unplanned maintenance event, at least one VM is available.

Credit: youtube.com, The Principles of Design | FREE COURSE

You should also deploy web application proxy servers in a separate DMZ network, such as an isolated subnet, and only allow required communication between the two subnets.

Here are some key design principles to keep in mind:

  • Deploy AD FS on separate servers.
  • Group VMs in an availability set for redundancy.
  • Deploy web application proxy servers in a separate DMZ network.
  • Allow only required communication between subnets.

When extending your deployment to a new geographical region, it's crucial to consider the following points:

  • Create a new virtual network in the geographical region.
  • Deploy domain controllers in the new region to improve performance.
  • Create new storage accounts and network security groups in the new region.
  • Configure DNS labels for public IP addresses.
  • Set up Azure Traffic Manager for global traffic distribution.
  • Ensure V-net to V-net connectivity between regions is not necessary.

Configure Web Application Proxy Servers to Reach FS Servers

To configure web application proxy servers to reach AD FS servers, you need to create a record in the hosts file for the ILB. The distinguished name should be the federation service name, such as fs.contoso.com.

The IP entry should be the ILB's IP address, which is 10.3.0.8 in this example. This is crucial for web application proxy servers to enroll successfully.

If you're using the Windows Internal Database for your AD FS database, you'll need to set the value to temporarily point to your primary AD FS server.

Deployment and Migration

Credit: youtube.com, Migrating from ADFS to Azure Active Directory: Benefits and Best Practices

The Azure AD migration process is a crucial step in transitioning users and applications to Azure AD. This process involves transitioning users and applications to Azure AD.

To ensure a smooth migration, it's essential to use tools like Azure AD Connect Health for AD FS. This helps monitor the health of your AD FS environment during the migration process.

Decommissioning the AD FS environment upon completion is also a critical step in the migration process. This ensures a consistent single sign-on experience for users.

Update ILB DNS Server

To update the ILB DNS server, create an A record for the federation service with the IP address pointing to the ILB's IP address. For example, if the ILB IP address is 10.3.0.8 and the federation service is fs.contoso.com, create an A record for fs.contoso.com pointing to 10.3.0.8.

If you're using the Windows Internal Database for your AD FS database, temporarily set this value to point to your primary AD FS server. This is necessary to prevent the web application proxy from failing enrollment.

Credit: youtube.com, DNS Migration from Windows Server 2016 to 2022 step by step | Side by Side DNS migration |

In addition to the A record, create a corresponding AAAA record if your deployment is using IPv6. This will ensure that both IPv4 and IPv6 traffic can reach the ILB.

To ensure that web application proxy servers can reach the AD FS servers behind the ILB, create a record in the hosts file for the ILB. The distinguished name should be the federation service name, such as fs.contoso.com, and the IP entry should be the ILB's IP address.

If you're using the Windows Internal Database for your AD FS database, temporarily set this value to point to your primary AD FS server. This is necessary to prevent the web application proxy from failing enrollment.

Template for Deployment

The template for deploying Active Directory Federation Services (AD FS) in Azure is a powerful tool that allows you to customize the deployment process to suit your needs.

You can use an existing virtual network or create a new one while deploying the template. The parameters you can use to customize the deployment are listed in the table below.

The template also allows you to specify the internal IP addresses for the Domain Controllers, AD FS servers, and WAP servers. You can statically assign IP addresses to these servers, which must be valid IP addresses within the internal subnet.

You can also specify the VM name prefix, size, and administrator credentials for the Domain Controllers, AD FS servers, and WAP servers. This allows you to customize the deployment process to suit your specific needs.

The Migration Process

Credit: youtube.com, What's your #cloud #migration #strategy?

The migration process is a crucial step in deploying Azure AD. It involves transitioning users and applications to Azure AD, ensuring a consistent single sign-on experience.

To start, you'll need to prioritize applications based on factors like compatibility with Azure AD and the complexity of claim rules. This will help you simplify the process of app migration.

Azure AD Connect Health for AD FS is a useful tool for monitoring the health of your AD FS environment during migration. This can help you identify potential issues before they become major problems.

Decommissioning the AD FS environment is a key part of the migration process. This will help you ensure a seamless transition to Azure AD and avoid any potential security risks.

Deploy in New Region

Deploying your Active Directory Federation Services (AD FS) in a new geographical region can be a complex task, but it's a crucial step in expanding your organization's reach.

Credit: youtube.com, Why Do Services Deploy to One Region?

You can deploy AD FS in the new geographical region by following the steps and guidelines in AD FS deployment in Azure.

It's essential to replicate the same topology in the new region to ensure seamless integration and functionality.

Follow the steps and guidelines in AD FS deployment in Azure to deploy the same topology in the new geographical region.

Security and Governance

AD FS uses HTTPS, so make sure that the NSG rules for the subnet containing the web tier VMs permit HTTPS requests. These requests can originate from the on-premises network, the subnets containing the web tier, business tier, data tier, private DMZ, public DMZ, and the subnet containing the AD FS servers.

Preventing direct exposure of the AD FS servers to the Internet is crucial, as domain-joined computers with full authorization to grant security tokens can be compromised, allowing malicious users to issue full access tokens to all web applications and federation servers.

Credit: youtube.com, Authentication fundamentals: Federation | Microsoft Entra ID

AD FS servers should be placed in separate subnets with their own firewalls, and WAP servers should be in their own subnets as well. This setup allows for better control and segregation of traffic.

Azure AD's entitlement management feature automates the process of resource assignment and access reviews, streamlining identity governance. This feature is a crucial aspect of identity governance and entitlement management.

All firewalls should allow traffic on port 443 (HTTPS), and NSG rules can be used to define firewall rules. This ensures that necessary traffic can pass through while keeping the network secure.

Direct sign in access to the AD FS and WAP servers should be restricted to DevOps staff only, and WAP servers should not be joined to the domain. This helps prevent unauthorized access to sensitive systems.

Performance and Reliability

Performance and reliability are crucial aspects of any AD FS deployment, especially when hosted in Azure. For smaller deployments with fewer than 1000 users, installing AD FS on each Active Directory DS server in the cloud is a viable option, as long as there are at least two servers to maintain availability.

Credit: youtube.com, Microsoft Entra ID: How to gain insights using Entra ID Connect-Health and ADFS Activity Report

To increase availability, create an AD FS farm with at least two servers, and use different storage accounts for each AD FS VM in the farm. This approach helps prevent a failure in a single storage account from making the entire farm inaccessible.

For larger deployments, consider the following guidelines for sizing AD FS farms: if you have between 1000 and 15,000 users, create two dedicated AD FS servers and two dedicated WAP servers. If you have between 15,000 and 60,000 users, create between three and five dedicated AD FS servers and at least two dedicated WAP servers.

To ensure reliability, create separate Azure availability sets for the AD FS and WAP VMs, with at least two VMs in each set and at least two update domains and two fault domains. Use an Azure load balancer to provide external access to the WAP VMs and distribute the load across the AD FS servers in the farm.

Here's a summary of the recommended AD FS farm configurations based on user count:

Performance Efficiency

Credit: youtube.com, Enhance efficiency and boost reliability with performance engineering

Performance efficiency is crucial for your workload to scale to meet user demands in an efficient manner. This means ensuring that your system can handle a large number of users without slowing down.

To size your AD FS farms, consider the number of users you have. If you have fewer than 1000 users, installing AD FS on each Active Directory DS server in the cloud is a good starting point. This way, you can maintain availability with at least two Active Directory DS servers and a single WAP server.

If you have between 1000 and 15,000 users, creating two dedicated AD FS servers and two dedicated WAP servers is a good approach. This will help your system scale to meet the demands of your users.

For larger organizations with between 15,000 and 60,000 users, you'll need to create between three and five dedicated AD FS servers and at least two dedicated WAP servers. This will ensure that your system can handle the increased load.

Here's a summary of the recommended server configurations based on the number of users:

Reliability

Credit: youtube.com, How to Solve Database Performance, Scalability, and Reliability Challenges

Having a reliable application is crucial for making commitments to your customers. You can create an AD FS farm with at least two servers to increase availability of the service.

Using different storage accounts for each AD FS VM in the farm helps ensure that a failure in a single storage account doesn't make the entire farm inaccessible. This is a good practice to follow.

Create separate Azure availability sets for the AD FS and WAP VMs. Each availability set must have at least two update domains and two fault domains.

To provide external access to the WAP VMs, use an Azure load balancer. This will also help distribute the load across the AD FS servers in the farm.

Only pass traffic appearing on port 443 (HTTPS) to the AD FS/WAP servers. This is an important security measure to take.

Give the load balancer a static IP address. This will make it easier to manage and access the load balancer.

Credit: youtube.com, Performance : Reliability Testing

Create a health probe using HTTP against /adfs/probe. This will help ensure that the AD FS servers are functioning properly.

Here are the key steps to create a reliable AD FS farm:

  • Use an Azure load balancer to provide external access to the WAP VMs.
  • Only pass traffic appearing on port 443 (HTTPS) to the AD FS/WAP servers.
  • Give the load balancer a static IP address.
  • Create a health probe using HTTP against /adfs/probe.

You can use either SQL Server or the Windows Internal Database to hold AD FS configuration information. The Windows Internal Database provides basic redundancy.

Frequently Asked Questions

What is the difference between ADFS and Azure AD Sync?

The main difference between ADFS and Azure AD Sync is that ADFS is a security token service, while Azure AD Sync is an identity and access management solution. Understanding the distinction between these two tools can help you choose the best approach for your organization's authentication and authorization needs.

What is the difference between ADFS and Azure B2B?

ADFS requires manual setup and infrastructure management, whereas Azure B2B simplifies and streamlines the process, making it easier to collaborate with partners

Is Azure AD the same as ADFS?

No, Azure AD and ADFS serve different purposes, with Azure AD focusing on identity and access management and ADFS on security token services. Learn more about the key differences between these two solutions.

Do people still use ADFS?

While some organizations still use ADFS for specific purposes, many are moving away from it due to the benefits of alternative solutions like PHS and PTA. ADFS usage is declining as organizations seek to simplify user authentication.

What is the difference between Active Directory and ADFS?

Active Directory stores user credentials within a network, while ADFS (Active Directory Federation Services) extends this access to external web platforms, enabling single sign-on across networks. This integration allows users to access external resources with their existing network credentials.

Viola Morissette

Assigning Editor

Viola Morissette is a seasoned Assigning Editor with a passion for curating high-quality content. With a keen eye for detail and a knack for identifying emerging trends, she has successfully guided numerous articles to publication. Her expertise spans a wide range of topics, including technology and software tutorials, such as her work on "OneDrive Tutorials," where she expertly assigned and edited pieces that have resonated with readers worldwide.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.