Azure AD Connect Federation
Last Updated: October 26, 2023
This article provides a comprehensive guide to configuring and managing federation with Azure Active Directory (Azure AD) using Azure AD Connect. Federation allows you to use an on-premises identity provider (IdP) to authenticate users for accessing Azure AD resources.
What is Federation?
Federation involves establishing trust between your on-premises Active Directory Federation Services (AD FS) or another supported third-party identity provider and Azure AD. When a user tries to access an Azure AD-protected resource, they are redirected to your on-premises IdP for authentication. Upon successful authentication, the IdP issues a security token that Azure AD trusts, granting the user access.
Prerequisites for Federation
- An Azure AD tenant with a verified custom domain.
- An on-premises Active Directory domain.
- A functional on-premises identity provider (e.g., AD FS for Windows Server).
- Azure AD Connect installed and configured to synchronize your on-premises identities to Azure AD.
- Administrative privileges in both your on-premises AD and Azure AD.
Configuring Federation with Azure AD Connect
Azure AD Connect simplifies the process of setting up federation. During the Azure AD Connect installation or configuration wizard, you can choose the federation option.
- Launch Azure AD Connect: Run the Azure AD Connect setup wizard.
- Configure: Select the "Configure" option if you are modifying an existing installation or choose "Install" for a new setup.
- Select Federation Options: On the "Connect your directories" or "User sign-in" page, choose "Federation with AD FS".
- Specify AD FS Server(s): Provide the details of your AD FS farm, including the server names and certificates. Azure AD Connect can either configure AD FS for you or connect to an existing AD FS deployment.
- Select Domain for Federation: Choose the on-premises domain you wish to federate with Azure AD.
- Complete Installation: Follow the prompts to finalize the installation and configuration.
Key Federation Components
- Relying Party Trust (RPT): This trust is configured in AD FS to recognize Azure AD as a trusted claims provider.
- Claims Provider Trust (CPT): This trust is configured in Azure AD to recognize your AD FS as a trusted claims provider.
- Security Tokens: AD FS issues security tokens (typically SAML tokens) containing claims about the authenticated user.
- Attributes/Claims: Information about the user (e.g., UPN, object ID) that is sent in the security token.
Managing Federation
After federation is established, you can manage it through several tools:
- AD FS Management Console: Used for managing AD FS server configurations, certificates, and claim rules.
- Azure AD Portal: Used for managing domain settings, adding or removing federated domains, and viewing sign-in logs.
- Azure AD Connect Synchronization Service: For managing user synchronization and ongoing configuration updates.
Troubleshooting Common Federation Issues
- Incorrect domain name: Ensure the domain name in AD FS matches the one in Azure AD.
- Certificate expiration: Regularly monitor and renew AD FS signing and token-decrypting certificates.
- Clock skew: Ensure that the clocks on your AD FS servers and Azure AD are synchronized.
- Firewall rules: Verify that necessary ports are open between your AD FS servers and Azure AD endpoints.
- Claim rule misconfiguration: Review claim rules in AD FS to ensure they are correctly transforming and issuing the necessary claims.
Switching Authentication Methods
You can switch from federation to other authentication methods like PHS or PTA using the Azure AD Connect wizard. This process involves reconfiguring Azure AD Connect and updating the domain's trust relationship with Azure AD.
For detailed step-by-step instructions and advanced configurations, please refer to the official Microsoft documentation.