Identity Federation using Microsoft ADFS And Entra ID

Learn how identity providers and service providers enable identity federation, with apps trusting providers like Azure Active Directory or Gmail and Facebook to authenticate users and grant access.

Explain why identity federation matters, solving Kerberos limitations and partner access, by using claim-based tokens and standard protocols for secure on-premises and cloud authentication with ADFS and Entra ID.

Discover how claim based identity and authentication use a security token service to issue tokens with user claims like age and email for payroll app, authenticated by an identity provider.

Plan your first adfs deployment by choosing the configuration database (windows internal database or sql), proxies, dns resolution, and load balancing. Assess capacity and plan certificates to secure adfs URLs.

Plan capacity for ADFS servers to handle peak authentication requests and both internal and external users, guided by Microsoft’s estimation table, with federation and proxy servers behind a load balancer.

Learn to configure service communication certificates, token signing certificates, and token decrypting certificates for ADFS and Entra ID, including exporting private keys, external certification authority options, and web proxy usage.

Prepare a VNet with two subnets in Azure; deploy domain controllers and ADF servers; install Active Directory and certificate services; configure an internal load balancer for the ADF farm.

Configure an azure virtual network with internal and dmz subnets, using 10.10.0.0/16, 10.10.1.0/24, and 10.10.2.0/27, by provisioning a new resource group in the azure portal.

Learn how to create and attach network security groups (NSGs) in Azure to internal subnets, configure default inbound and outbound rules, and enforce traffic controls between virtual networks.

Install a second federation server into the existing farm and import the first server's ssl certificate. Configure it as a secondary federation server with the primary server, then reboot.

Configure an internal Azure load balancer for an ADFS farm, create a backend pool for the ADFS servers, and set up a health probe on port 80.

Explore how federation trust uses claim provider trust and relying party trust between Active Directory, ADFS servers, and applications, with metadata exchange and encryption to source and secure claims.

Create a relying party trust in ADFS by importing the application's metadata and configuring a claim issuance policy to pass name and role, enabling single sign-on via intranet zone.

Explore how claim rules transform incoming claims into outgoing claims, mapping types and values, such as turning an email address into a name or exposing group memberships.

Trace how claim rules are processed from claim provider trust through the claim pipeline to authorization issuance and issuance transform, including group-based access and MFA controls.

Explore how to publish an internal adfs server to the internet using a web application proxy and an internet-facing load balancer, with partner federation.

Deploy and configure AD FS in a partner organization, establishing cross-org trust by exchanging certificates, importing trusted roots, and enabling name resolution with DNS conditional forwarders.

Configure a relying party trust and a claim provider trust between two organizations using AD FS, enabling certificate trust, domain resolution, and claims exchange for cloud services.

Learn how to manage claims across organizations by configuring claim rules, transforming and passing through role and name claims between organization ADF servers to grant access.

Understand home realm discovery for multi-partner federations, configure automatic redirection by email domain suffix, and tailor the login page by enabling suffix rules and removing local authentication.

Decode ws-fed, saml, and oauth tokens in a microsoft adfs deployment using claim x ray and fiddler, and set up relying party trusts with a PowerShell script.

Explain how OAuth flow delegates authority using authorization codes, access tokens, and scopes, and show how OpenID Connect adds user authentication with ID tokens for federated sign-in.

Configure identity federation with Azure AD as the identity provider, register a domain, and synchronize on-premises directory for authentication, then test and plan migration to PTA and seamless single sign-on.

Register a public domain in Azure Active Directory by opening the Azure portal, adding a custom domain, and verifying ownership with a DNS TXT record.

Federate your on-premises Active Directory with Azure AD using AD FS and Azure AD Connect to enable federation-based authentication and seamless sign-in with a matching UPN suffix.

Test federated authentication flows between on-premises AD FS and Azure AD by verifying relying party trust, UPN-based claims, and email attribute synchronization via Azure AD Connect.

Enable password hash synchronization as backup for on-premises active directory federation authentication, configuring Azure AD Connect to sync password hashes so users can sign in if the ADFS service fails.

Switch back to federation by reconfiguring Azure AD Connect to use ADFS and Entra ID, enabling password hash synchronization and updating the relying party trust.

Understand pass through authentication, which synchronizes on-premises user accounts to Azure AD while keeping passwords on premises, enabling secure login and single sign-on with conditional access.

Switch from federated authentication to pass-through authentication (PTA) in Azure AD, implement staged rollout with a dedicated group, on-premises agents, and pilot user testing before full migration.

Explore seamless single sign on in identity federation using Microsoft ADFS and Entra ID, enabling passwordless access to web and native apps via Azure AD Connect and on premises Kerberos.

Explore Azure AD B2B collaboration and B2C identities, register a sample app, create a user flow with authentication page, add Facebook and Google as identity providers, and enable OTP authentication.

Explore how Azure AD B2C acts as a customer identity provider, enabling sign-up and sign-in with social or local accounts, federating via OpenID Connect and customizable user flows.

Register a sample web app in Azure AD B2C and link the B2C directory to your subscription. Enable the redirect URI, permissions, client secret, and implicit grant flow for tokens.

Create and test a user flow for sign up, sign in, and password reset in the application, using Azure AD B2C to issue tokens with configured claims.

Register Facebook as an identity provider in the Azure AD B2C Entra ID tenant, configure app ID and secret, and set the OpenID Connect redirect for sign-in.

Azure AD B2B collaboration lets external partners access your applications using shadow accounts while their own identity providers handle lifecycle management, with your policies and multifactor authentication applying to them.

Explore how B2B collaboration enables guest access through implicit trust with external Azure Active Directories and Microsoft accounts, including token-based authentication and the creation of shadow accounts for personal emails.

Invite external users for B2B collaboration in Azure Active Directory via guest invitations, app-based invitations, or group memberships, and manage access as invitations become Microsoft Accounts Directory or shadow accounts.

Congratulations on completing the course and enjoying the learning experience; revisit the material if needed and reach out with any doubts, and consider leaving a review.