Microsoft Advises Change to Active Directory Federation Server

Organizations using Azure Active Directory with federation should make a configuration change to take advantage of newly added resilience improvements, Microsoft advised late last week.

The announcement included PowerShell scripts to configure Active Directory Federation Server (ADFS), a Windows Server role. ADFS is Microsoft's approach for brokering identity and authentication trust between two realms. It's based on the WS-Federation protocol, according to an MSDN document description.

Essentially, the PowerShell scripts provided by Microsoft configure ADFS to use three new URL endpoints that enable the resilience benefits, although Microsoft's announcement didn't describe what those benefits are. If organizations don't update ADFS, it'll continue to work. It just won't have the unnamed benefits.

Organizations that configured ADFS using the Azure AD Connect service don't have to run the PowerShell scripts since the resilience benefits will get applied automatically. Microsoft also provided a PowerShell script to check if the Azure AD Connect service is being used, plus there's a rollback script in case of trouble.

Earlier this month, Microsoft also reminded organizations to update any Azure AD conditional access policies they may have if created using the older so-called "classic" Azure portal. The classic portal is getting deprecated, starting on Nov. 30.

And for IT pros needing to dig into the details and track Microsoft's various Azure AD changes, Microsoft announced last week that it is now publishing release notes for Azure AD. These "What's New" notes for Azure AD are expected to appear "once every two weeks" at this page. Microsoft is considering adding an RSS feed, too.

There's also a recent Microsoft opinion piece on top-five "best" Azure AD capabilities for IT pros, per Mike Duddington of Microsoft. His top recommendation included using the Azure AD Privileged Identity Management service to provide just-in-time access for IT pro administrative accounts, a security precaution. Next, Azure AD Conditional Access can be used to set up access conditions for end users. He also recommended using multifactor authentication for administrators. Azure AD Connect Health can be used for error reporting and the Azure AD Reporting service is useful for getting information about end users and for security audits, Duddington indicated.

Those recommendations, though, come with licensing requirements to figure out. Microsoft offers free, Basic, Premium 1 and Premium 2 plans. Details are laid out in a table at this pricing page.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube