AD FS Operations

• Applies to:

  ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

Important

Instead of upgrading to the latest version of AD FS, Microsoft highly recommends migrating to Microsoft Entra ID. For more information, see Resources for decommissioning AD FS

This document contains a list of all of the documentation operations for AD FS.

Service Configuration

• Update SSL Certificates in AD FS and WAP 2016
• AD FS Rapid Restore Tool
• Configure alternate hostname binding for certificate authentication in AD FS
• Add an Attribute Store
• Customize HTTP security response headers with AD FS 2019
• Delegate AD FS Powershell Commandlet Access to Non-Admin Users
• Fine tune SQL and address latency
• AlwaysOn Availability Groups
• What is KDFv2?

Authentication Configuration

Strong Authentication (MFA) & Password-less

• Configure External Authentication providers as primary in AD FS (2019 or later)
• Configure AD FS (2016 or later) and Azure MFA
• Configure Additional Authentication Methods for AD FS

Lockout protection

• Configure AD FS Extranet Soft Lockout Protection
• Configure AD FS Extranet Smart Lockout Protection
• Configure AD FS Extranet Banned IPs

Policy Configuration

• Configure Authentication Policies
• Configuring Alternate Login ID
• Configure Microsoft Entra prompt login behavior to work with AD FS policy

Kerberos & Certificate authentication

• Enable AD DS claims & kerberos compound authentication in AD FS
• Configure AD FS for User Certificate Authentication
• Configure alternate hostname binding for certificate authentication in AD FS

Device

• Device Authentication Controls in AD FS

Authorization Configuration

• Configure Access Control Policies in AD FS
• Configure Device-based Conditional Access on-Premises

RPT & CPT configuration

• Configure AD FS to authenticate users stored in LDAP directories
• Configure Claim Rules
• Create a Claims Provider Trust
• Create a Non-Claims Aware Relying Party Trust
• Create a Relying Party Trust
• Configure AD FS to work with Aggregated federation provider (e.g. InCommon)

Sign-in Experience Configuration

• Configure AD FS 2016 Single Sign On Settings
• Configure AD FS Paginated sign-in
• Configure AD FS user sign-in customization
• Configure AD FS to Send Password Expiry Claims
• Configure intranet forms-based authentication for devices that do not support WIA

Other

• Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications
• Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
• Manage Risk with Conditional Access Control
• Set up an AD FS lab environment
• Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications
• Walkthrough Guide: Manage Risk with Conditional Access Control
• Walkthrough: Workplace Join with a Windows Device
• Walkthrough: Workplace Join with an iOS Device