Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to Deploy ADFS in Azure

Active Directory Federation Services (AD FS) help Azure AD users to seamlessly and securely authenticate themselves into various applications with Web Single Sign-on. They only need to sign-in once with their on-premises credentials to sign in to all the applications on Azure as well. AD FS and Azure make a powerful combination Azure ensures that the authentication servers do not experience any downtime,are always available and they are easy to scale. ADFS also enhances the security of the authentication process in Azure.

Download for Free
Free, fully functional 30-day trial
Follow these steps to deploy AD FS in Azure:

Note:If you have fewer than a thousand users, you can simply install AD FS as a role in a domain controller. If you have more than thousand users, then the on-premises AD FS system will need a separate server.

  • Step 1: Creating Sub-networks
  • On the Azure portal, navigate to Create a resource >Networking >Virtual Network > Create Virtual Network Create a new virtual network and divide it into two sub-networks. This will divide the network into an interior sub-network and a Demilitarized Zone (DMZ), which will be used to deploy Web Application Proxy (WAP) servers. The WAP servers help users sign in using AD FS even while being off the company network.

  • Each of these sub-networks need a Network Security Group (NSG) associated with them. Navigate to Create a resource > Networking > Network Security Group.In the Create Network Security Group window, specify the subscription, Resource group, name and region. Select the Create tab.If you see a notification that says Validation Passed, then click onCreate.

    After this is done, search for Network Interfaces in the Search tab at the top of the Azure portal. And then, click on the Sub-network that you want to assign the Newly created NSG to.Navigate to Settings >Network Security Group > Edit and then select relevant NSG. The NSG will contain Access Control Lists that will regulate and filter the traffic flow in the network.

  • Step 2: Establishing a connection to the on-premises network
  • Azure offers three kinds of connections to the on-premises network:

    1. Point-to-site (P2S):This establishes a VPN network, between a single on-premises AD FS server and the Azure network.It uses certificates to authenticate the server.If the AD FS server goes down, the connection has to be re-established.
    2. Virtual Network Site-to-site (S2S): This creates a more persistent connection between multiple on-premises servers and the Azure network.
    3. ExpressRoute: This is the most secure option among the three.This is a private connection enabled where the data does not traverse over the public internet.
  • You can choose the type of connectivity you need based on the needs of your organization.

  • Step 3: Creating Storage Accounts
  • On Azure, create two storage accounts by clicking All Services on the top-left of the portal and look for Storage Accounts or type Storage Accounts to find it.You would need to Link the storage account to the resource group that is created in the next step.

  • Step 4: Creating a resource group
  • A resource group acts as a container for all the resources connected to a service. In this case, create a resource group to house all the resources connected to AD FS. Use the following cmdlet on Azure PowerShell to create a resource group:

    1. New-AzResourceGroup
    2. Name NewResourceGroup
    3. Location PreferredLocation
  • Step 5: Creating availability sets and deploy Virtual Machines (VMs)
  • Create availability sets which will group two VMs each. The two machines will cater to the high availability requirement of the enterprises. To create availability sets, use the following cmdlet on Azure PowerShell:

    1. New-AzAvailabilitySet
    2. Location "PreferredLocation"
    3. Name "myAvailabilitySet"
    4. ResourceGroupName "NewResourceGroup"
    5. Sku aligned
    6. PlatformFaultDomainCount 2
    7. PlatformUpdateDomainCount 2
  • Then, create and deploy four VMs - two for DC/ADFS role and two for the WAP role. Use the New-AzVm cmdlet on Azure PowerShell to create new VMs in the availability set.

  • Step 6: Configuring AD FS role
  • Make replicas of the on-premises domain controller on the two VMs assigned to DC roles.

  • Configure AD FS on both of them.

  • Step 7: Configuring the Internal Load Balancer (ILB)
  • On the left upper side of Azure portal, click on Create a resource and navigate to Networking >Load Balancer, and click on the plus sign. Assign the Load Balancer to the virtual sub-network associated with AD FS because it will be used to manage the requests between the AD FS servers and the client machine.

  • Configure the ILB backend pools. Select the Load Balancer and navigate to Settings >Backend Pools > Add. The Load Balancer uses a backend pool of IP addresses of the virtual networks interfaces associated with it. This is used to distribute the requests across the two VMs.

  • Update the ILB in the DNS server

  • Step 8: Configuring the Web Access Proxy server
  • Install WAP on the virtual machines set up for WAP.

  • Step 9: Configuring the external-facing load balancing
  • On the left upper side of Azure portal, click on Create a resource and navigate to Networking > Load Balancer and click on the plus sign. Select the Scheme as Public, so that this Load Balancer has a public IP.

  • Update the DNS server with this Public IP.

  • Configure the backend pool as detailed in Step 6.

  •  

    ADFS has now been configured on your Azure AD.

    ADAudit Plus, a real-time Active Directory auditing and reporting tool, can help you perform Azure AD auditing. It contains numerous reports on logons, user management and so on, which can help audit and troubleshoot Azure AD and the services connected to it. It can generate comprehensive and user-friendly reports in no time at all.

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By