Field Notes: Azure Active Directory Connect – Verifying Federated Login

I started off this Azure AD Connect series by going through the express installation path, where the password hash synchronization sign-in option is selected by default. This was followed by the custom installation path using pass-through authentication and a remote SQL installation. The latest post in the series covers federation with Active Directory Federation Services (AD FS). Refer to links below for parts 1 through 3:

Here, we look at how to use Azure AD Connect to verify federated login. We also explore other options – idp-initiated sign on and accessing the My Apps portal.

Federation verification

Federating a domain through Azure AD Connect involves verifying connectivity. During this process, we are advised by the wizard to use the verify federated login additional task to verify that a federated user can successfully log in.

Getting started

To get to these options, launch Azure AD Connect and click configure. There will be an option to manage federation on the next screen. Use this task to expose available options for managing the federation service.

AAD Connect Additional Tasks

Manage federation

Look at what we have here – all the options that are available to manage a federation service! These are for:

  • Managing the Azure AD trust
  • Federating an Azure AD domain
  • Updating the AD FS SSL certificate
  • Deploying an AD FS server
  • Deploying a Web Application Proxy server
  • Verifying federated login
Manage Federation

We will cover some of these in future blog posts. AD FS Help: https://aka.ms/adfshelp

Verifying federated login (video)

Verifying federated login is a pretty straightforward process. All we need to do is connect to Azure AD by providing global administrator credentials, followed by entering credentials of a user account we are using for verification. The following quick video takes us through this process.

Other options

Let’s cover two of the other methods we could use to verify that federation works. The first one is Idp-initiated sign on, and the other is accessing the My Apps portal.

Idp-initiated sign on

The AD FS sign-on page can be used to verify federated login. This is feature is not turned on by default in Windows Server 2016, which is what I am using in my environment. Login to the AD FS server and turn in on by using PowerShell. The command is:

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Once this is turned on, open a browser and navigate to https://sts.idrockstar.co.za/adfs/ls/idpinitiatedsignon.htm (replace the federation service FQDN as necessary) and sign in using a federated account.

My Apps portal

The other options is to use the My Apps portal to check if you are able to successfully sign in. Open a browser and go to https://aka.ms/myapps, which will direct to Access Panel Applications https://account.activedirectory.windowsazure.com/r#/applications) after successful login. Pay attention to the address bar to see redirection to the AD FS service for authentication.

Summary

Federating a domain through Azure AD Connect involves verifying connectivity. Additionally, federated login should be verified to ensure that everything works as expected. We covered verification using Azure AD Connect, as well as using Idp Intiated sign on and accessing the My Apps portal.

References

Till next time…