Code Library

As we move forward in a cloud-focused world, being able to control your identity is becoming more
important. We need to think about how we can use our corporate identity to access applications that
we don’t technically own anymore. We also need to think about how we provide access to applications we own to other organizations in a secure and controlled manner without having a
cumbersome user-management process.

Active Directory Federation Services (AD FS) provides this ability so that you can connect to applications that are on-premises or in the cloud (Platform as a Service [PaaS] or SaaS) with your
corporate identity.

AD FS has been around for quite a while (since AD FS 2.0), and with Windows Server 2016, there are further enhancements to the technology to ensure that it meets the next level of demands from organizations in the cloud world. Here are some of the key improvement areas for AD FS:

 Multifactor authentication
Windows Server 2016 contains a built-in Azure MFA adapter to simplify the process of using Azure MFA as the primary provider for authentication. There is no longer a need to deploy an onpremises MFA server.

 Device registration for hybrid conditional access
You now can configure AD FS to recognize the device status. This means that you can manage the device and apply policies as necessary. This will ensure that the device stays compliant to corporate policy and reduce potential risks to corporate resources.

 Windows 10 and Microsoft Passport integration
Microsoft Passport and AD FS have been designed to integrate to provide a further seamless authentication experience for Windows 10 users.

 Lightweight Directory Access Protocol (LDAP) integration to secure non-AD directories Many organizations don’t rely on Active Directory for their identities. When this is the case, AD FS
will integrate into LDAP v3–compliant directories. This will allow further integration into the cloud
using those identity providers and the same enterprise experience when using Active Directory.

 Auditing improvements
Auditing in AD FS has been quite complicated in the past, with lots of verbose information that is
difficult to track. In Windows Server 2016, Microsoft has streamlined these improvements to prove
a more consistent auditing experience and provide easier methods to trace through the logs.

 SAML 2.0 improvements
SAML support has been improved in Windows Server 2016 with the inclusion of importing trusts
based on metadata that contains multiple entities. With this support, you can configure AD FS to
participate in confederations such as InCommon Federations as well as other implementations
conforming to eGov 2.0.

 Customized sign-in experience
In Windows Server 2016 you can customize messages, images, logos, and themes on a per
application basis, making it possible for multiorganizations to have one deployment rather than
multiple to suit the individual units. You can extend these customizations on a per–relying party
basis, as well.

 Simplified password management for federated Office 365 users
AD FS can now send password expiry claims to relying party trusts. The application users will be
notified of their expiring passwords and then have the ability to take action and change their
passwords.

 Configure access control policies without knowing the claim rules language
In Windows Server 2016, there are new access control policy templates which ease the
configuration of claims rules. These templates bring a simple UI-driven process to quickly and
securely create claims rules for the organization.

 Migration from previous versions of AD FS
The upgrade process for AD FS has been greatly simplified in Windows Server 2016. Now, all
you need to do is install a Windows Server 2016 AD FS instance into an existing farm, verify the
functionality, and then remove the previous versions. AD FS in Windows Server 2016 can “act” like
a previous version of AD FS.

Source of Information : Microsoft Introduction Windows Server 2016