Top new features when running ADFS on top of Windows Server 2012 R2

  1. Extranet Account Lockout Policy

With this feature you can enable “soft lockout” at WAP (Web Application Proxy) and when configured WAP locks account after certain logon attempt and on-premises Active Directory account will not be locked out.

ExtranetLockoutEnabled – Can be configure true or false. When enabled “Extranet Lockout” is turned on.
ExtranetLockoutThreshold – The number of concurrent failed logins to permit before locking the user out. ExtranetLockoutTreshold should be configured < than ADDS account lockout. Otherwise ADDS account would be locked out.
ExtranetObservationWindow –  This settings defines how long AD FS will lock a user out for after failed logins.

How to enable:

  • Install Hotfix 2971171
  • Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 5 -ExtranetObservationWindow (New-Timespan -Minutes 30)

Verify:

Get-adfsproperties |fl *extranet*

lockout1

 

2. Enable Password Change interface on ADFS

When enabled end-users can change their passwords in certain use scenarios which are describer below. One thing to mention, this is not password reset feature. If that one is at your mind you need to implement Azure AD Password Reset Service ((SSPR) which is feature of Azure AD Premium or Basic. Password change endpoint has been there for a while but it was only available for Workplace Joined devices. Microsoft made a change for this behaviour and not it’s available to any device.

Use cases from Microsoft:

Expired Password: User is accessing applications such as Office 365 and is logging onto ADFS using their expired password. At this time, ADFS will interrupt the login flow (when password change is enabled) and ask the user to change their password. Once they change their password, they are seamlessly taken back to the login page, enter their changed password and subsequently taken to the application that they were logging into.

User Must Set Password at next login: Many times when you have a new employee or when a password is reset through a password reset mechanism such as the SSPR feature in Azure AD, users need to change their passwords at the next login into AD.

Change Password when passwords are soon to expire: We targeted this case specifically for Office 365 applications where ADFS can notify Office apps that a password is set to expire with 14 days (not configurable) and notify the user and now the user can just click on the change password link when this notification appears and can change their password via ADFS.

Change Password any time by directly going to the password change URL: This is simply a case where the user can bookmark the change password URL and just access this to change their password in AD.

How to enable:

  1. Install update 3035025
  2. Enable /adfs/portal/updatepassword
  3. Enable password expiry notification if you are using O365 and ADFS

pw1

Claim rule to add

———————————————————————————————————————————————————————–

c1:[Type == “http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”%5D

=> issue(store = “_PasswordExpiryStore”, types = (“http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime&#8221;, “http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays&#8221;, “http://schemas.microsoft.com/ws/2012/01/passwordchangeurl&#8221;), query = “{0};”, param = c1.Value);

———————————————————————————————————————————————————————–

Claims which are send to AAD in token are:

  • Password Expiration Time: This is the time when the user’s password will expire
  • Password Expiration Days: This is the number of days remaining prior to the password expiry
  • Password Change URL: This is the URL of the password change URL from ADFS

How to verify:

pw2

 

3. Configure AD FS to Send Password Expiry Claims

You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying party trusts (applications) that are protected by ADFS. How these claims are used depends on the application. For example, with Office 365 as your relying party, updates have been implemented to Exchange and Outlook to notify federated users of their soon-to-be-expired passwords.

Claim rule to add to ADFS relaying party config

c1:[Type == http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime&#8221;] => issue(store = “_PasswordExpiryStore”, types = (http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime&#8221;, http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays&#8221;, http://schemas.microsoft.com/ws/2012/01/passwordchangeurl&#8221;), query = “{0};”, param = c1.Value);

More information from here