Microsoft Eases ADFS Shifts with New Azure Active Directory Capabilities
Microsoft on Monday announced some Azure Active Directory enhancements to help organizations shift away from using Active Directory Federation Services (ADFS).
Most of the enhancements were described as being available or at the preview stage, but they apparently can help remove roadblocks for organizations trying to dispense with using ADFS and help them move to directly using the Azure AD identity and access management service. The announcement suggested that "nearly all" applications could be shifted using these Azure AD enhancements, which were built to address customer requests.
Here's how the Azure AD enhancements were characterized by Samuel Devasahayam, a group product manager on the Microsoft authentication platform team, per the announcement:
Today, I'm thrilled to share several new and important capabilities to help customers easily migrate nearly ALL their applications from AD FS or other identity providers to Azure AD. We're addressing several customer requests, such as improving claims and transformation capabilities that have prevented customers from migrating their apps to Azure AD. These new capabilities will help customers reduce their AD FS investments and provide them with industry-leading security capabilities in Azure AD.
Azure AD Enhancements
The enhancements to Azure AD were rather technical. They include the use of "filter groups," adding more user attributes as claims, custom claims for Security Assertion Markup Language (SAML) tokens and the ability to use regular expressions on group name transformations.
A "filter groups" capability, which has long existed for Active Directory users, is now available for Azure AD users. The filter groups capability typically gets used to keep Kerberos tokens from getting too large. IT pros specify only the groups an application needs for authorizations. "You can now filter the groups included in the SAML token using substring match on the display name or on the onPremisesSAMAccountName attribute of the group object," Devasahayam explained.
Microsoft also expanded the configuring of "user attributes as claims in Azure AD." This change can help meet some app requirements. The example Microsoft provided was the Box app, which requires that "all the user's proxyAddresses be included in the SAML token." Azure AD now supports the use of a "multi-valued attribute" in claims.
Azure AD also now lets IT pros customize claims for SAML tokens, such as adding a NameID, without having to verify a domain during a transformation. "Until now, this wasn't possible in Azure AD because the NameID wasn't allowed to contain a UPN domain (@domain.com) that wasn't already verified in their tenant," Devasahayam explained.
Microsoft added a "substring function" capability for claims, which lets applications extract "specific characters from a source attribute" for a claim.
The new ability to use regular expressions during transformations can help organizations address certain app claims needs, such as specific "AWS role nomenclature," Microsoft explained.
Why Get Rid of ADFS?
ADFS is a Windows server role that's used to federate applications using a local Active Directory infrastructure with the Azure AD service. The benefit of using ADFS is that it enables single sign-on access for app users, so that they don't have to sign in for every app.
Possibly, though, ADFS isn't easy to secure. It was said to have been exploited last year by the "Nobelium" advanced persistent threat group to tap Exchange Online e-mails. Alex Weinert, director of identity security at Microsoft, has advised using Azure AD as a best practice. However, if organizations do use ADFS, then they should also use a hardware security module with it, he noted in a July 14 Twitter post.
Another option for eliminating ADFS use is Microsoft's emerging new Azure AD certificate-based authentication solution. This solution was announced at the preview stage back in February.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.