With organizations increasingly moving from on-premises to cloud-based solutions, the process we use to handle identity and access management is changing as well. Our legacy single sign-on access tools are not robust enough for the current environment of remote workers and multiple devices. If you haven’t moved already, now is the time to migrate from Active Directory Federation Services (ADFS) to Azure Active Directory (Azure AD).
ADFS is the legacy on-premises single sign-on identity service that allows sharing of identity information outside an organization’s network. ADFS is installed on Windows Server to provide users with single sign-on access to different systems and applications across organizational boundaries. ADFS uses claims-based access-control to authenticate based on a set of claims about identity (SAML and OUATH being the most common), which are contained in a secure token supplied by the identity provider.
In our current distributed, cloud-based world, ADFS has limitations; the largest being the need for ADFS to have real-time access to your identity servers. Your servers may be hosted in your on-premises data center or cloud-based such as Azure or AWS, but if they become inaccessible then ADFS is unavailable. Other limitations of legacy ADFS include:
- ADFS does not allow access to shared files, print servers or other AD resources.
- ADFS is designed for on-premises environments where it authenticates only against AD. ADFS can’t authenticate through the Azure infrastructure.
- ADFS requires AD domain accounts.
- ADFS requires routine certificate maintenance and a multi-server architecture for redundancy.
- Restricting access for certain groups can be challenging with ADFS.
- ADFS requires on-premises/customer managed servers to be exposed to the internet.
To address the limitations of ADFS, Microsoft built the ADFS functionality (claims-based authentication) natively into Azure AD.
Azure AD provides organizations with an identity solution for both on-premises and cloud-based apps and allows legacy applications incapable of modern authentication methods to also run in the cloud. Using a single identity, users can access both external resources (such as Office 365) and internal resources including legacy in-house apps. Azure AD allows users to access these applications and collaborate from any platform and any device.
Azure AD also provides a full complement of identity management, auditing, registration, MFA and self-service password management tools that can be leveraged for all your services.
If your organization is still relying on ADFS, Threadfin strongly recommends that you move to Azure AD.
Customers that have made this move realize:
- Monetary savings: you’ll only need a single source of Identity Access Management (IAM), and Azure AD is included in your Microsoft 365 license
- Increased productivity: your users will experience streamlined and consistent authentication procedures internally and externally
- Reduced administrative overhead: you’ll only need to manage a single identity for both cloud and on-prem, admins can take advantage of automated provisioning of user accounts and the need to maintain a redundant, multi-server ADFS architecture is eliminated
- Increased security: Azure AD gives you the ability to manage and control the apps your organization is using, as well as data contained in those apps
- Reduced risk and exposure: customer managed servers will no longer be exposed to the public internet
Migrating from ADFS to Azure AD is an important step in your cloud migration journey. Threadfin has developed a proven five-step process to move your organization quickly and seamlessly to Azure AD. Contact us today to share the success!
