One of the biggest challenges of adopting cloud services is extending identity policies from the on-premises environment into the cloud. In an Active Directory (AD) environment, it might be tempting to turn to Active Directory Federation Services (ADFS), which has long been the answer for providing single sign-on capabilities to allow users to authenticate and access applications that otherwise would not be available to them using only Active Directory, such as Azure and Microsoft 365.
However, as threat actors continue to target cloud environments, it is fair to examine whether ADFS is the best solution for organizations embracing hybrid environments. While ADFS is not inherently unsecure, the complexity of implementing it properly leaves it susceptible to attackers. As was demonstrated in the SolarWinds supply chain attack, a vulnerability in the on-premises environment can ultimately lead to the compromise of the Azure AD tenant. In addition to being another set of physical servers to manage, ADFS servers also expand the attack surface businesses need to protect.
Even Microsoft has recommended organizations consider migrating away from ADFS, noting in a January blog post: “If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.”
A world without ADFS
To help organizations connect all their apps to Azure AD, Microsoft introduced Password Hash Synchronization (PHS) and Pass-through Authentication (PTA). Using Password Hash Synchronization, Active Directory administrators can synchronize a hash of a user’s on-premises AD password hash to Azure AD. In effect, this allows users to leverage services like Microsoft 365 using the same password they would for their on-premises AD account.
The second method of managed authentication for Azure AD is Pass-through Authentication, which validates users’ passwords against the organization’s on-premises Active Directory. It uses authentication agents in the on-premises environment. These agents listen for password validation requests sent from Azure AD and do not require any inbound ports to be exposed to the Internet to function. Passwords do not have to be present in Azure AD in any form, eliminating a potential attack vector. In addition, on-premises policies such as account expiration or log-on hour restrictions can be applied to accounts. As a pre-requisite for Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect.
While there are still use cases where it might make sense to maintain an ADFS deployment—such as using ADFS for user certificate authentication—for many organizations, the case to move away from ADFS is strong. By using PHS and PTA, organizations can reduce the number of passwords users have to remember. However, that is only one of the benefits that can come from migration. ADFS is complex to deploy and requires physical hardware that has to be maintained. If an ADFS server is not kept current with the latest patches, it is vulnerable to attacks. PHS, on the other hand, is maintained by Microsoft, and using it decreases the infrastructure organizations need to protect.
If you are at the beginning of your hybrid journey, ADFS should not be your first option for linking the authentication between the on-premise and online workloads. However, if you have deployed ADFS, you’re looking at a migration, which still provides enhanced security over ADFS.
Changing authentication methods, however, is no trivial task and requires significant planning and testing. Any migration away from ADFS should occur in stages to allow for sufficient testing and potential downtime. At a minimum, organizations should be running Azure AD Connect 1.1.819.0 to successfully perform the steps to migrate to password hash synchronization. The method for switching to PHS depends on how ADFS was originally configured. If ADFS was configured via Azure AD Connect, then the Azure AD Connect wizard must be used. In this situation, Azure AD Connect automatically runs the Set-MsolDomainAuthentication cmdlet and automatically unfederates all the verified federated domains in the Azure AD tenant.
If an organization did not originally configure ADFS by using Azure AD Connect, it can use Azure AD Connect with PowerShell to migrate to PHS. However, the AD administrator must still change the user sign-in method via the Azure AD Connect wizard. The AD Connect wizard will not automatically run the Set-MsolDomainAuthentication cmdlet, leaving the administrator with full control over what domains are converted and in what order.
Supporting cloud initiatives
For businesses with hybrid environments, connecting all applications to Azure AD reduces complexity and offers an opportunity to decrease the attack surface. As a side benefit, it also has the potential to improve the user experience by implementing single-sign-on as well as stringent account security controls. As organizations adopt hybrid identity approaches to support their cloud initiatives, they should take the time to examine whether or not ADFS best suits their needs.
- Top Security Risks to Watch for in Shifting to Hybrid Identity Management | Semperis
- What You Need to Know About Securing Active Directory_register | Semperis
- Three Steps to Harden Your Active Directory in Light of Recent Attacks | Semperis