New Features in AD FS for Server 2016

One of the most complex parts of an Office 365 migration is the identity and authentication piece.  If you can get the AD FS and directory sync parts right, most of the rest of your migration is going to be fairly straight forward.

As we approach the release of Server 2016, we can also look forward to a new version of AD FS. With the release of this new version of AD FS, we can expect some new features. It’s still early, as I expect Server 2016 to be released in early calendar year 2016, but let’s look at three new features for this version of AD FS.

The new features we’re looking at today are

  • Authentication from LDAP v3 directories
  • Improved AD FS farm upgrade process
  • Improved access control policies

Authentication from LDAP v3 directories means that organizations using many of the non-Active Directory directory solutions will be able to use ADFS for authentication into Office 365. Hopefully this will make migrations from GroupWise and other mail platforms into Office 365 easier. Support for syncing accounts from these LDAP v3 directories will be available via Azure AD Connect in the future (no word on specific dates the sync service will be available at this time).

The AD FS farm upgrade process for AD FS in Server 2016 has be greatly improved. There really was not a way to upgrade an AD FS 2.1 farm to AD FS 3.0. You had to build a whole new farm with the new version of AD FS and replace the existing AD FS 2.1 farm. With the new version of AD FS upgrading AD FS will be very similar to upgrading domain controllers. The process is to build new AD FS servers and join them to your existing AD FS 3.0 farm. Once you have enough of the new AD FS servers to meet your HA requirements, you simply remove the old AD FS 3.0 servers and elevate the function level of your AD FS farm.

Access control policies in the new version of AD FS have similarly taken a page from Active Directory. The new version of AD FS has a GUI for creating and modifying access control policies that looks very similar to the GUI used to create and modify group policy objects in Active Directory. Using claims rules with AD FS 3.0 can be pretty complex, so the hope is that this change will allow organizations to exercise more control over a variety of authentication scenarios.

As we get closer to the release of Server 2016, I will take a more complete look at the improvements in the new version of AD FS. In the meantime, you can see more detail on the new features listed above in this session from Ignite.