So, another TP version for Windows server was released recently, and here’s a short list of what’s changed in the AD FS role. This time we don’t seem to have any major changes, which hopefully means we are now getting very close to the final release.
We’re up to 170 PowerShell cmdlets (with 6 newly added), plus one new claim added (but an important one, “Primary refresh token”, http://schemas.microsoft.com/2015/09/prt), and no new endpoints. There are no new changes in the node labels, but we have some emphasis on the help content (mainly links to Azure articles). The only other GUI change I noticed is the ‘removal’ of Azure MFA from the list of available authentication methods under the node with the same name. I put removal in quotes here, as the method is still available but we now get a detailed explanation on how to enable it. It’s simple enough – we need to run the cmdlet and restart the AD FS service:
PS C:\> Set-AdfsAzureMfaTenant cmdlet Set-AdfsAzureMfaTenant at command pipeline position 1 Supply values for the following parameters: TenantId: daf6c46d-ca4d-4635-b7b0-6250358927d3 WARNING: PS0177: The authentication provider configuration data was successfully updated. Before your changes take effect, you must restart the AD FS Windows Service on each server in the farm. PS C:\> Restart-Service adfssrv WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop... WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop... WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop... WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop... PS C:\> Get-AdfsAzureMfaConfigured True
After we have run the above, Azure MFA will appear as a choice for both Internal and External Primary authentication.
Here are the new PowerShell cmdlets:
Add-AdfsClaimsProviderTrustsGroup Add-AdfsRelyingPartyTrustsGroup Get-AdfsClaimsProviderTrustsGroup Get-AdfsRelyingPartyTrustsGroup Remove-AdfsClaimsProviderTrustsGroup Remove-AdfsRelyingPartyTrustsGroup
They all deal with the notion of RPT/CPT groups, which can only be managed via PowerShell atm. You can import the data either via a XML file or URI, and you can configure all the relevant rules and ACPs.
There are also two new properties for Get/Set-AdfsProperties, here are their names and default values:
BrowserSsoEnabled : True BrowserSsoSupportedUserAgents : {Windows NT 1, Windows Phone 1}
Here are also links to what’s new in TP2 and TP3. And link to the general “What’s New in Windows Server 2016 Technical Preview 4” article on TechNet.