Plaza 9, KD Tower Cotterells, Hemel Hempstead, HP1 1FWinfo@cloudable.biz

Is ADFS now dead?

For those of you keeping an eager eye on cybersecurity, NCSE published some new guidance for securing Office 365 earlier this year. This new guidance includes one significant change from Microsoft, which some may find a little controversial.

Microsoft now recommends that hybrid environments – i.e. those that use Active Directory Domain Services and Azure AD – should prefer native authentication against Azure AD rather than ADFS.

In Microsoft-speak this is ‘Seamless SSO with Password Hash Sync’, configured to use either per-user or Conditional Access MFA.

Password synchronisation with the cloud can feel like a scary thing to do, but in actuality, organisations using Azure AD as their primary authentication source will lower their risk compared with ADFS.

This is because:

  • It’s the hashes of your password hashes that are sent to Azure AD, and not the reusable NTLM hashes commonly discussed in “pass the hash” attacks. This means that the credentials sent to Azure AD can’t be used to authenticate to any of your on-premise infrastructures that rely on Active Directory.
  • We are already relying on Azure AD to make access control decisions regulating who can see which data, hosted in Office 365. So we already need to trust that it’s built and operated securely. Storing password hashes doesn’t change that security requirement.
  • The availability of Office 365 will no longer be affected by any outages or downtime suffered by your on-premise ADFS or Active Directory infrastructure.

For those interested, the new Microsoft guidance can be found here:  It’s a brave new world out there!

8 Responses to “Is ADFS now dead?

  • THANK YOUU!!!

  • I need to to thank you for this fantastic read!! I absolutely enjoyed every bit of
    it. I have got you book-marked to look at new
    things you post…

  • Thanks for the marvelous posting! I certainly enjoyed reading it, you may be a great author.I
    will be sure to bookmark your blog and may come back from now on.
    I want to encourage you to definitely continue your great writing, have a nice evening!

  • Hi! I just want to offer you a big thumbs up for your great info you’ve got
    right here on this post. I am coming back to your blog
    for more soon.

    Also visit my page – software akuntansi

  • Hmm is anyone else experiencing problems with the pictures on this blog loading?
    I’m trying to determine if its a problem on my end or if it’s the blog.
    Any feedback would be greatly appreciated.

  • We’re a group of volunteers and starting a new scheme
    in our community. Your site provided us with valuable information to work on. You’ve done an impressive job and our entire
    community will be grateful to you.

  • Thank you for another wonderful article. The place else could anyone get that type of information in such an ideal
    means of writing? I have a presentation next week, and I’m on the
    look for such information.

  • I’m extremely impressed with your writing skills and also
    with thee layout on your blog. Is this a paid theme or did youu cusomize it yourself?
    Either way keep up the nice quality writing, it’s rare
    to see a nice blog like this one nowadays.

Leave a Reply

Your email address will not be published. Required fields are marked *