I started off this Azure AD Connect series by going through the express installation path, where the password hash synchronization sign-in option is selected by default. This was followed by the custom installation path using pass-through authentication and a remote SQL installation. The latest post in the series covers federation with Active Directory Federation Services (AD FS). Refer to links below for parts 1 through 3:
- Field Notes: Azure Active Directory Connect – Express Installation
- Field Notes: Azure Active Directory Connect – Custom Installation with Pass-Through Authentication & a remote SQL Server
- Field Notes: Azure Active Directory Connect – Federation with AD FS
Here, we look at how to use Azure AD Connect to verify federated login. We also explore other options – idp-initiated sign on and accessing the My Apps portal.
Federating a domain through Azure AD Connect involves verifying connectivity. During this process, we are advised by the wizard to use the verify federated login additional task to verify that a federated user can successfully log in.
To get to these options, launch Azure AD Connect and click configure. There will be an option to manage federation on the next screen. Use this task to expose available options for managing the federation service.
Look at what we have here – all the options that are available to manage a federation service! These are for:
- Managing the Azure AD trust
- Federating an Azure AD domain
- Updating the AD FS SSL certificate
- Deploying an AD FS server
- Deploying a Web Application Proxy server
- Verifying federated login
We will cover some of these in future blog posts. AD FS Help: https://aka.ms/adfshelp
Verifying federated login (video)
Verifying federated login is a pretty straightforward process. All we need to do is connect to Azure AD by providing global administrator credentials, followed by entering credentials of a user account we are using for verification. The following quick video takes us through this process.
Let’s cover two of the other methods we could use to verify that federation works. The first one is Idp-initiated sign on, and the other is accessing the My Apps portal.
Idp-initiated sign on
The AD FS sign-on page can be used to verify federated login. This is feature is not turned on by default in Windows Server 2016, which is what I am using in my environment. Login to the AD FS server and turn in on by using PowerShell. The command is:
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
Once this is turned on, open a browser and navigate to https://sts.idrockstar.co.za/adfs/ls/idpinitiatedsignon.htm (replace the federation service FQDN as necessary) and sign in using a federated account.
My Apps portal
The other options is to use the My Apps portal to check if you are able to successfully sign in. Open a browser and go to https://aka.ms/myapps, which will direct to Access Panel Applications https://account.activedirectory.windowsazure.com/r#/applications) after successful login. Pay attention to the address bar to see redirection to the AD FS service for authentication.
Federating a domain through Azure AD Connect involves verifying connectivity. Additionally, federated login should be verified to ensure that everything works as expected. We covered verification using Azure AD Connect, as well as using Idp Intiated sign on and accessing the My Apps portal.
- AD FS Troubleshooting – Idp-Initiated SignOn
- Access and use apps on the My Apps portal
- Custom installation of Azure AD Connect
Till next time…