Hey Dean, this was an awesome video! I really like the fact you make sure to point out the relevant Azure documentation. I also liked the step by step instructions, accompanied by the necessary commentary of course, as well as the tips you mentioned. Personally, I prefer the hands on videos like this one. Keep up the good work and thank you for your time.
Hi there, really appreciate your professional tutorial and details provided in that. It's hard to find such a good info on RUclips for ADFS. The only part which you could consider is about defining extranet ADFS DNS which I did not find where you set that up. Thank you.
Thank you for the feedback! I will add your request to the backlog thank you for the suggestion. Are there any other parts of Azure and DNS that would interest you? Public or private zones, traffic manager?
Right here 👉 learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)#:~:text=You%20must%20create%20a%20DNS%20CNAME%20record%20that,multiple%20CNAME%20records%20must%20be%20created%20in%20DNS.
I liked the video. Lots of good material covered. Except the whole reason I was watching was to learn about the WAP integration with ADFS. I don't see that you covered this in any of your other videos. Did you go through this and I missed it somehow?
I did not go through it. WAP is not required for ADFS to work, and it functions in the same way a gateway / proxy would. It stands in front of ADFS so ADFS isn’t directly exposed to the internet. In my experience companies don’t use WAP because they have network hardware that works better for this purpose
ADFS is another layer of identity security requiring Certs and Devices registered in your AD. Azure AD SSO only requires the user sign in, so it is secured differently...it all depends on what you need to be sucessful.
It would be really helpful if you provided, up-front, a solution design/architecture picture for the target result that is being discussed. Here's the result, here's how we're getting to the result and here are the fundamentals that you need to understand.
I hear what you are saying...however in things like ADFS you can get extremely specific in your use case, and if I did then the video would not be as applicable to a wide audience...so I stuck to general implementation of ADFS and Azure. If there is a specific use case you have in mind...let me know and I may be able to work on it
excellent videos !! very clear and understandable, the setup for adfs web proxy server is the same but the difference is that it has to be placed on dmz with a public IP?
Plz make videos on there great features of azure ad like PIM MFA CA IP app registration scope consent... Alot more is there... Plz publish more videos on Aure AD
Thanks for the request! We are working on that now. The thing that has taken so long is the Azure AD Licensing we need to do those videos...stay tuned!
Hi, congratulations on the great videos you create for the community. I wanted to ask you a question that is perhaps a bit silly: what is the benefit of choosing an ADFS structure when with password ash and pass throug authentication everything is much simpler and faster? I have to do a lot of work: DMZ, proxy application server, buy and update certificate, Plus the costs for copies of Windows server ... Why? Is more secure? Thanks for the attention
Great question. ADFS is moors complex for sure, but it also comes with MANY benefits. For example it is the only way to have 100% seamless single sign on 👉 ruclips.net/video/_VOEi0cMBvQ/видео.html And if you are using it today the switch over to Azure is very simple. Integrates with many 3rd pastries and handles all authentication requests instead of handing some in the cloud and some on prem
@@AzureAcademy Thank you very much for your kind reply. I take this opportunity if you can answer to ask you something else. Since I moved on to manage all my infrastructure with Intune, to register in MDM I had to do the Hybrid Azure Ad Joined on desktop PCs. The join was failing me until I decided to change the authentication from adfs federated domain to SSO pass through authentication.As I changed the authentication, the PCs were finally able to do the Hybrid Join. Now I am wondering I will no longer need the Web application Proxy server (could I remove it?) And to update the SSL certificate since I no longer use ADFS as authentication? Thanks for the attention!
In your example: ADFS is setup on-premise or cloud (azure)? Is there a best pratice setup on Azure? In a DMZ published to the Internet with public address? If I host my domain.blabla.com in a third-party I point A record to the ADFS? Thanks for your comments.
It is in Azure, as for where it “should” be...any domain member server is fine. The ADFS role is a high value asset so you would NOT put it in the DMZ. There is an additional web app proxy for ADFS that you can put in the DMZ Learn more with the docs docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
@@AzureAcademy if you could be answer another question I would appreciate it. Should ADFS be available for users to log on (from domain member machines)? If there is any link documentation, thank you again.
I got the cert from www.sslforfree.com/ this site gives free certs...but you have to own the domain name so you can add verification DNS entries. no special subscription required.
Hi Dean, Thanks for the Video!, At 4:10 (In Credentials Section). I am trying to enter my own Ad Id(having global administrator access) and Password ,It says, "User is not a member of domain admin group of domain"
Sir required your urgent help in one issue I'm facing - i am getting "ADFS p3p error" when trying to access sso application with "VPN 1 gateway" but same application is acceble from the "VPN 2 gateway" not able to find where issue is and how to fix this issue.. please hep me
Hey Test User… Not completely sure, but if it works on vpn 2 then you are able to function, so it’s not an emergency. Normally the reason VPN 1 works but 2 doesn’t is because they are not configured the same way or VPN key is wrong
I think this was a little too much for me. The best thing is that there's always a step by step instructions in Microsoft Doc to do most procedures, so I'm not that fussed at this stage not being able to follow. Oh and I passed my Azure Az-900 about a month ago, just before the Confinement was made official here in the UK. Yep!
Nice and crispy video on ADFS which is for SSO between on premises AD and Azure AD, will this configuration import identities (without password) from on-premises AD to Azure AD.. right?
+mailmepnk you will always have a password, even if you enhance security with biometric or PINs. SSO can be done without ADFS but ADFS allows you to federate your Active Directory to outside stuff...When using Azure AD, you have more options with ADFS to bring that authentication closer to onPrem
So crazy question but have you worked with WVD using ADFS ? I know there are problems with WVD not supporting B2B and Guest users, though was wondering about ADFS.
Great question Yuukan! YES I have worked with WVD and ADFS. Since WVD uses whatever authentication you set up through Azure AD and ADFS integrates into the Azure AD Auth process WVD will just use it too!
Great question the short answer is...it depends. ☺️ It depends on your topology and environment etc Here are 2 links to help you docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains
As far as I know yes...once Azure AD Connect knows that you have ADFS it hands off authentication and as far as I know you can do what ever policy you want
Hey Dean, Great video! Quick question: when you joined the Federation member server to the domain, how did you do that? Azure AD Domain Services in Azure?
The federation server is connected to my Active Directory domain. I don’t believe you can do ADFS with Azure AD Domain Services (AADDS) because you need elevated domain rights to set it up, and in AADDS you are just a user.
cool but you should not do a lot of configuration off camera, it’s really more effective if you do it all step by step, such as add or create certificates
Dean, this video was hard to follow and digest due to the technical nature of setting up ADFS. I think an introduction with a Diagram and workflow would have been very useful for learning and following all the hard work you put in on making this video. Sorry, for me it is NOT a thumbs up.
Hey Dean, this was an awesome video! I really like the fact you make sure to point out the relevant Azure documentation. I also liked the step by step instructions, accompanied by the necessary commentary of course, as well as the tips you mentioned. Personally, I prefer the hands on videos like this one. Keep up the good work and thank you for your time.
Thanks for the feedback Sotiris!
Hey Dean! I have never seen someone explains - crystal clear ! Thanks a ton. Just subscribed :)
Thanks Abraham! Share The Azure Academy with others so they can learn as well.
😎☺️👍
+Abraham Dhanyaraj thanks!
Great explanation, could you please do a video on how to setup Avd sso with ADFS.
Already done! My channel has EVERY possible feature and config of AVD! ruclips.net/video/_VOEi0cMBvQ/видео.htmlsi=Ji-BO9HP6chea-Yl
Hi there, really appreciate your professional tutorial and details provided in that. It's hard to find such a good info on RUclips for ADFS. The only part which you could consider is about defining extranet ADFS DNS which I did not find where you set that up. Thank you.
Thank you for the feedback!
I will add your request to the backlog thank you for the suggestion. Are there any other parts of Azure and DNS that would interest you? Public or private zones, traffic manager?
This is a great series of videos
Thanks Matt!
Impressed with this video and quite interesting and informative. thank a ton!!!!
Glad it was helpful! Let me know what other videos you want me to make!
Great Video! @AzureAcademy , do you have any particular doc for guidance about configuring the ADFS / DNS /public IP stuff?
Right here 👉 learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)#:~:text=You%20must%20create%20a%20DNS%20CNAME%20record%20that,multiple%20CNAME%20records%20must%20be%20created%20in%20DNS.
I liked the video. Lots of good material covered. Except the whole reason I was watching was to learn about the WAP integration with ADFS. I don't see that you covered this in any of your other videos. Did you go through this and I missed it somehow?
I did not go through it. WAP is not required for ADFS to work, and it functions in the same way a gateway / proxy would. It stands in front of ADFS so ADFS isn’t directly exposed to the internet. In my experience companies don’t use WAP because they have network hardware that works better for this purpose
Amazingly explain. Well Done .
Thanks.
Glad you liked it
Hey great presentation. Why setup this Azure ADFS ? when you can just use Azure AD Connect to sync and enable SSO?
ADFS is another layer of identity security requiring Certs and Devices registered in your AD. Azure AD SSO only requires the user sign in, so it is secured differently...it all depends on what you need to be sucessful.
It would be really helpful if you provided, up-front, a solution design/architecture picture for the target result that is being discussed. Here's the result, here's how we're getting to the result and here are the fundamentals that you need to understand.
I hear what you are saying...however in things like ADFS you can get extremely specific in your use case, and if I did then the video would not be as applicable to a wide audience...so I stuck to general implementation of ADFS and Azure.
If there is a specific use case you have in mind...let me know and I may be able to work on it
excellent videos !! very clear and understandable, the setup for adfs web proxy server is the same but the difference is that it has to be placed on dmz with a public IP?
Thanks Juan!
Simply superb.
Thanks for the feedback!
Plz make videos on there great features of azure ad like PIM MFA CA IP app registration scope consent... Alot more is there... Plz publish more videos on Aure AD
Thanks for the request! We are working on that now.
The thing that has taken so long is the Azure AD Licensing we need to do those videos...stay tuned!
Hi, congratulations on the great videos you create for the community.
I wanted to ask you a question that is perhaps a bit silly: what is the benefit of choosing an ADFS structure when with password ash and pass throug authentication everything is much simpler and faster? I have to do a lot of work: DMZ, proxy application server, buy and update certificate, Plus the costs for copies of Windows server ... Why? Is more secure? Thanks for the attention
Great question. ADFS is moors complex for sure, but it also comes with MANY benefits. For example it is the only way to have 100% seamless single sign on 👉 ruclips.net/video/_VOEi0cMBvQ/видео.html
And if you are using it today the switch over to Azure is very simple.
Integrates with many 3rd pastries and handles all authentication requests instead of handing some in the cloud and some on prem
@@AzureAcademy Thank you very much for your kind reply.
I take this opportunity if you can answer to ask you something else.
Since I moved on to manage all my infrastructure with Intune, to register in MDM I had to do the Hybrid Azure Ad Joined on desktop PCs.
The join was failing me until I decided to change the authentication from adfs federated domain to SSO pass through authentication.As I changed the authentication, the PCs were finally able to do the Hybrid Join.
Now I am wondering I will no longer need the Web application Proxy server (could I remove it?) And to update the SSL certificate since I no longer use ADFS as authentication?
Thanks for the attention!
The web proxy is recommended with ADFS. It is an extra layer of security.
In your example: ADFS is setup on-premise or cloud (azure)? Is there a best pratice setup on Azure? In a DMZ published to the Internet with public address? If I host my domain.blabla.com in a third-party I point A record to the ADFS? Thanks for your comments.
It is in Azure, as for where it “should” be...any domain member server is fine. The ADFS role is a high value asset so you would NOT put it in the DMZ. There is an additional web app proxy for ADFS that you can put in the DMZ
Learn more with the docs
docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
@@AzureAcademy if you could be answer another question I would appreciate it. Should ADFS be available for users to log on (from domain member machines)? If there is any link documentation, thank you again.
WVD does not require ADFS. However if you want to have Single-Sing-On it is required
Hey Dean, where did the certificate came from generated or you need a special subscription in Azure ?
I got the cert from www.sslforfree.com/
this site gives free certs...but you have to own the domain name so you can add verification DNS entries. no special subscription required.
Hi Dean, Thanks for the Video!, At 4:10 (In Credentials Section). I am trying to enter my own Ad Id(having global administrator access) and Password ,It says, "User is not a member of domain admin group of domain"
Check that your account it NOT in a nested group
Sir required your urgent help in one issue I'm facing - i am getting "ADFS p3p error" when trying to access sso application with "VPN 1 gateway" but same application is acceble from the "VPN 2 gateway" not able to find where issue is and how to fix this issue.. please hep me
Hey Test User…
Not completely sure, but if it works on vpn 2 then you are able to function, so it’s not an emergency. Normally the reason VPN 1 works but 2 doesn’t is because they are not configured the same way or VPN key is wrong
I think this was a little too much for me. The best thing is that there's always a step by step instructions in Microsoft Doc to do most procedures, so I'm not that fussed at this stage not being able to follow. Oh and I passed my Azure Az-900 about a month ago, just before the Confinement was made official here in the UK. Yep!
That is AWESOME! Congratulations Bijou! 👏🙌👌👍😁
@@AzureAcademy Thank you.
Anytime!
Nice and crispy video on ADFS which is for SSO between on premises AD and Azure AD, will this configuration import identities (without password) from on-premises AD to Azure AD.. right?
How the password is handled is dependent on how you have AzureAD Connect setup.
+mailmepnk you will always have a password, even if you enhance security with biometric or PINs. SSO can be done without ADFS but ADFS allows you to federate your Active Directory to outside stuff...When using Azure AD, you have more options with ADFS to bring that authentication closer to onPrem
So crazy question but have you worked with WVD using ADFS ?
I know there are problems with WVD not supporting B2B and Guest users, though was wondering about ADFS.
Yes I have used WVD with ADFS. It works natively because WVD just uses Azure AD and Azure AD uses ADFS...so seamless integration
Great question Yuukan! YES I have worked with WVD and ADFS. Since WVD uses whatever authentication you set up through Azure AD and ADFS integrates into the Azure AD Auth process WVD will just use it too!
Hello Dean, does Azure AD connect support multiple ADFS farms in separate AD forests or just one. Thanks
Great question the short answer is...it depends. ☺️
It depends on your topology and environment etc
Here are 2 links to help you
docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains
Do you know if ADconnect already supports creating this level of ADFS when using a policy over a route site to site IPSec?
As far as I know yes...once Azure AD Connect knows that you have ADFS it hands off authentication and as far as I know you can do what ever policy you want
Hey Dean, Great video! Quick question: when you joined the Federation member server to the domain, how did you do that? Azure AD Domain Services in Azure?
The federation server is connected to my Active Directory domain. I don’t believe you can do ADFS with Azure AD Domain Services (AADDS) because you need elevated domain rights to set it up, and in AADDS you are just a user.
@@AzureAcademy Got it -- makes sense now that you explain it like that. I appreciate the response -- thank you!!
@@AzureAcademyFYI, this is what I was referring to: ruclips.net/video/L8jqVCWj0Ic/видео.html
@@AzureAcademy By chance, were you able to do a video on adding the web proxy portion of ADFS configuration? ruclips.net/video/L8jqVCWj0Ic/видео.html
@@a-teamIL I think you are the first to ask...I'll look into it
Amazing thank you
Thanks for watching!
Sir do you work for Microsoft.How did u excel in such an immense tutorial.Superb video.Trying to grasp slowly
Thanks for the feedback!
I do work for Microsoft, but The Azure Academy is my own channel.
cool but you should not do a lot of configuration off camera, it’s really more effective if you do it all step by step, such as add or create certificates
Which configuration of camera are you referring to?
Want to learn everything about Azure AD FAST? * Start here!* ruclips.net/video/pN8o0owHfI0/видео.html
👍
Dean, this video was hard to follow and digest due to the technical nature of setting up ADFS. I think an introduction with a Diagram and workflow would have been very useful for learning and following all the hard work you put in on making this video.
Sorry, for me it is NOT a thumbs up.
sorry to hear that, but thank you for the feedback Abu. Can you be more specific on what was hard to follow?