Microsoft Advises Change to Active Directory Federation Server -- Redmondmag.com

Microsoft Advises Change to Active Directory Federation Server

By Kurt Mackie
10/30/2017

Organizations using Azure Active Directory with federation should make a configuration change to take advantage of newly added resilience improvements, Microsoft advised late last week.

The announcement included PowerShell scripts to configure Active Directory Federation Server (ADFS), a Windows Server role. ADFS is Microsoft's approach for brokering identity and authentication trust between two realms. It's based on the WS-Federation protocol, according to an MSDN document description.

Essentially, the PowerShell scripts provided by Microsoft configure ADFS to use three new URL endpoints that enable the resilience benefits, although Microsoft's announcement didn't describe what those benefits are. If organizations don't update ADFS, it'll continue to work. It just won't have the unnamed benefits.

Organizations that configured ADFS using the Azure AD Connect service don't have to run the PowerShell scripts since the resilience benefits will get applied automatically. Microsoft also provided a PowerShell script to check if the Azure AD Connect service is being used, plus there's a rollback script in case of trouble.

Earlier this month, Microsoft also reminded organizations to update any Azure AD conditional access policies they may have if created using the older so-called "classic" Azure portal. The classic portal is getting deprecated, starting on Nov. 30.

And for IT pros needing to dig into the details and track Microsoft's various Azure AD changes, Microsoft announced last week that it is now publishing release notes for Azure AD. These "What's New" notes for Azure AD are expected to appear "once every two weeks" at this page. Microsoft is considering adding an RSS feed, too.

There's also a recent Microsoft opinion piece on top-five "best" Azure AD capabilities for IT pros, per Mike Duddington of Microsoft. His top recommendation included using the Azure AD Privileged Identity Management service to provide just-in-time access for IT pro administrative accounts, a security precaution. Next, Azure AD Conditional Access can be used to set up access conditions for end users. He also recommended using multifactor authentication for administrators. Azure AD Connect Health can be used for error reporting and the Azure AD Reporting service is useful for getting information about end users and for security audits, Duddington indicated.

Those recommendations, though, come with licensing requirements to figure out. Microsoft offers free, Basic, Premium 1 and Premium 2 plans. Details are laid out in a table at this pricing page.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.