What’s new in AD FS in Windows Server TP4

​So, another TP version for Windows server was released recently, and here’s a short list of what’s changed in the AD FS role. This time we don’t seem to have any major changes, which hopefully means we are now getting very close to the final release.

We’re up to 170 PowerShell cmdlets (with 6 newly added), plus one new claim added (but an important one, “Primary refresh token”,  http://schemas.microsoft.com/2015/09/prt), and no new endpoints. There are no new changes in the node labels, but we have some emphasis on the help content (mainly links to Azure articles). The only other GUI change I noticed is the ‘removal’ of Azure MFA from the list of available authentication methods under the node with the same name. I put removal in quotes here, as the method is still available but we now get a detailed explanation on how to enable it. It’s simple enough – we need to run the  cmdlet and restart the AD FS service:

PS C:\> Set-AdfsAzureMfaTenant
cmdlet Set-AdfsAzureMfaTenant at command pipeline position 1
Supply values for the following parameters:
TenantId: daf6c46d-ca4d-4635-b7b0-6250358927d3
WARNING: PS0177: The authentication provider configuration data was successfully updated.  Before your changes take effect, you must restart the AD FS Windows Service on each server in the farm.

PS C:\> Restart-Service adfssrv
WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...
WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...
WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...
WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...

PS C:\> Get-AdfsAzureMfaConfigured
True

After we have run the above, Azure MFA will appear as a choice for both Internal and External Primary authentication.

Here are the new PowerShell cmdlets:

Add-AdfsClaimsProviderTrustsGroup
Add-AdfsRelyingPartyTrustsGroup
Get-AdfsClaimsProviderTrustsGroup
Get-AdfsRelyingPartyTrustsGroup
Remove-AdfsClaimsProviderTrustsGroup
Remove-AdfsRelyingPartyTrustsGroup

They all deal with the notion of RPT/CPT groups, which can only be managed via PowerShell atm. You can import the data either via a XML file or URI, and you can configure all the relevant rules and ACPs.

There are also two new properties for Get/Set-AdfsProperties, here are their names and default values:

BrowserSsoEnabled                          : True
BrowserSsoSupportedUserAgents              : {Windows NT 1, Windows Phone 1}

Here are also links to what’s new in TP2 and TP3. And link to the general “What’s New in Windows Server 2016 Technical Preview 4” article on TechNet.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.