locked
Security and ADFS on Windows Server 2012 R2 RRS feed

  • Question

  • We recently migrated to Office 365.  As a part of this, we implemented Azure Active Directory and ADFS, running with two ADFS proxy servers, two ADFS servers, and two domain controllers (replicating with our on premises Domain Controllers).  We have also utilized this ADFS infrastructure to federate logins for ArcGIS online though ESRI.  We are now looking at utilizing ADFS for other cloud based services.  During our discussion, concern has arisen surrounding the security of ADFS and how much of our directory it exposes.  Our Microsoft sales rep has come onsite, and recommended that we purchase Azure Active Directory premium licenses, at a $70,000 expense, because what we are currently using is not the "recommended way."  No real reasons were given as to why configuring ADFS from the ADFS mmc snapin, rather than by purchasing a $70,000 add-on, was not the "recommended way" to do things.  When one of our senior management mentioned something about security, our sales rep seemed to "latch on" to that argument as support for why we should buy the $70,000 product, but it wasn't mentioned until someone on our team brought it up.  To me it seemed like the Microsoft rep was allowing us to reach our own conclusions with no input from them, and then using our conclusions (even if erroneous) to help make the sale.  To me, Azure Active Directory premium only added a front end, which automates the configuration that one would normally perform manually in ADFS.

    ADFS is quite new to me, and I haven't really had the time to become familiar with its concepts.  I have been a domain admin / exchange / Citrix admin for 14 years, but this is our first foray into the ADFS world.  Could someone point me in the direction of some resources explaining what actually goes on during the ADFS authentication process?  Do we have any reason to be concerned security-wise with the architecture above.  It seems to me that ADFS simply maps attributes from the cloud based service end, to attributes in AD, and either approves a login request or denies it.  I'm sure it is a bit more complex than this, but is this the high level function?  Basically, we want to be sure that we are not exposing any internal data in a fashion that could be harvested.  Sorry for what might seem like an odd post, but I am still becoming familiar with this.  Any information would be greatly appreciated.


    Thanks,

    Patrick M. Sullivan
    Thursday, May 5, 2016 7:38 PM

Answers

  • maybe MSFT is suggesting to use Azure AD Proxy and/or Azure AD MFA.

    AAD premium is only needed if you need to use specific feature that specifically require AAD premium


    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Thursday, May 5, 2016 8:37 PM
  • Agree with @Jorge and @Pierre - you do not normally need AAD Premium for this use case.

    If you want to add things like MFA, SSPR with write back, group support etc. then you would add it.

    Refer: Azure Active Directory editions

    O365 under the hood runs on Azure AD.

    Having ADFS as a federated domain to Azure AD and using AAD Connect to sync. your AD users up is a normal and secure use case.

    As per "Azure Active Directory premium only added a front end, which automates the configuration that one would normally perform manually in ADFS.", note that there is no part of ADFS that is configurable in Azure AD.

    In terms of "We are now looking at utilizing ADFS for other cloud based services", there are two ways to do this:

    • Federating directly with ADFS
    • Using the integrated SaaS application that Azure AD supports. (The ones here)

    You don't need AAD Premium for the latter but you are restricted to 10 apps.

    "With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps, can see up to 10 apps in their Access Panel and get SSO access to them. Admins can configure SSO and assign user access to as many SaaS apps as they want with Free and Basic however end users will only see 10 apps in their Access Panel at a time".

    It seems that you are talking at cross purposes?



    Monday, May 9, 2016 8:24 PM
  • The concepts of ADFS are described here: https://technet.microsoft.com/en-us/library/hh831502(v=ws.11).aspx#BKMK_OVER it gives you some ideas on the why and how we do federation in the Microsoft ecosystem.

    Azure AD premium is not mandatory at all. It offers nice additions though, here are some that might have led to the advise to consider Azure AD Premium:

    Note that if you are concern about ADFS and exposing a form enabling password discovery attacks, you can have a look at this:

    Please, feel free to share more of the concerns you have.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, May 9, 2016 1:49 AM

All replies

  • maybe MSFT is suggesting to use Azure AD Proxy and/or Azure AD MFA.

    AAD premium is only needed if you need to use specific feature that specifically require AAD premium


    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Thursday, May 5, 2016 8:37 PM
  • The concepts of ADFS are described here: https://technet.microsoft.com/en-us/library/hh831502(v=ws.11).aspx#BKMK_OVER it gives you some ideas on the why and how we do federation in the Microsoft ecosystem.

    Azure AD premium is not mandatory at all. It offers nice additions though, here are some that might have led to the advise to consider Azure AD Premium:

    Note that if you are concern about ADFS and exposing a form enabling password discovery attacks, you can have a look at this:

    Please, feel free to share more of the concerns you have.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, May 9, 2016 1:49 AM
  • Agree with @Jorge and @Pierre - you do not normally need AAD Premium for this use case.

    If you want to add things like MFA, SSPR with write back, group support etc. then you would add it.

    Refer: Azure Active Directory editions

    O365 under the hood runs on Azure AD.

    Having ADFS as a federated domain to Azure AD and using AAD Connect to sync. your AD users up is a normal and secure use case.

    As per "Azure Active Directory premium only added a front end, which automates the configuration that one would normally perform manually in ADFS.", note that there is no part of ADFS that is configurable in Azure AD.

    In terms of "We are now looking at utilizing ADFS for other cloud based services", there are two ways to do this:

    • Federating directly with ADFS
    • Using the integrated SaaS application that Azure AD supports. (The ones here)

    You don't need AAD Premium for the latter but you are restricted to 10 apps.

    "With Azure AD Free and Azure AD Basic, end users who have been assigned access to SaaS apps, can see up to 10 apps in their Access Panel and get SSO access to them. Admins can configure SSO and assign user access to as many SaaS apps as they want with Free and Basic however end users will only see 10 apps in their Access Panel at a time".

    It seems that you are talking at cross purposes?



    Monday, May 9, 2016 8:24 PM