Mix ADFS and Azure AD for authentication

Question

Hi We use ADFS 3.0 for O365 and some 3rd party web / apps. Now we're implementing a new website. My original idea was to just add it to our ADFS but now the project has decided that it need 2FA. In the future I see all our apps authenticate in Azure AD but I can't move them right now. There fore I'd prefer to keep current apps in ADFS but add the new app to Azure AD with PTA and MFA. Can I some how use Azure AD for authentication on my new app and still authenticate O365 in ADFS? //Johan

Answer 1

@JFH Yes, you can do that. If you have O365 federated with ADFS and you federate an application with Azure AD, the authentication flow would be:

1. User accesses the application which is federated to Azure AD.
2. Application will redirect to Azure AD authentication endpoint (https://login.microsoftonline.com) for authentication.
3. User will be prompted for credentials.
4. Based on the UPN suffix (If the domain is federated with ADFS), user will be redirected to ADFS.
5. ADFS will authenticate the user and issue a WS-Fed token to Azure AD.
6. Azure AD will receive the token and issue a SAML token to the application.
7. User will finally get access to application.

-----------------------------------------------------------------------------------------------------------

Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

Answer 2

Both federation and PTA are domain-wide features, so they generally apply to all users. There's however a preview of the so-called "staged rollout" feature, which allows you to switch just some users from federation to other auth types. Read here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout