{
	"id": "79aa924b-1d8d-48cf-a0ee-574cc7fa49f8",
	"created_at": "2026-04-06T00:13:53.037157Z",
	"updated_at": "2026-04-10T13:12:36.588366Z",
	"deleted_at": null,
	"sha1_hash": "f9547b91a40af8341cdbe4ede3b217877cd02937",
	"title": "Active Directory Federation Services in Azure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1471082,
	"plain_text": "Active Directory Federation Services in Azure\r\nBy Justinha\r\nArchived: 2026-04-05 16:46:37 UTC\r\nActive Directory Federation Services (AD FS) provides simplified, secured identity federation and web single sign-on\r\n(SSO) capabilities. Users federated with Microsoft Entra ID or Microsoft 365 can authenticate using on-premises credentials\r\nto access all cloud resources. As a result, your deployment must have a highly available AD FS infrastructure to ensure\r\naccess to resources both on-premises and in the cloud.\r\nDeploying AD FS in Azure can help achieve high availability without too much effort. There are several advantages of\r\ndeploying AD FS in Azure:\r\nThe power of Azure availability sets gives you a highly available infrastructure.\r\nDeployments are easy to scale. If you need more performance, you can easily migrate to more powerful machines\r\nusing a simplified deployment process in Azure.\r\nAzure geo redundancy ensures your infrastructure is highly available across the globe.\r\nThe Azure portal makes your infrastructure easier to manage with highly simplified management options.\r\nDesign principles\r\nThe following diagram shows the recommended basic topology for deploying AD FS infrastructure in Azure.\r\nWe recommend your network topology follows these general principles:\r\nDeploy AD FS on separate servers to avoid affecting the performance of your domain controllers.\r\nYou must deploy web application proxy (WAP) servers so that users can reach the AD FS when they aren't on the\r\ncompany network.\r\nYou should set up the web application proxy servers in the demilitarized zone (DMZ) and only allow TCP/443 access\r\nbetween the DMZ and internal subnet.\r\nTo ensure high availability of AD FS and web application proxy servers, we recommend using an internal load\r\nbalancer for AD FS servers and Azure Load Balancer for web application proxy servers.\r\nTo provide redundancy to your AD FS deployment, we recommend that you group two or more virtual machines\r\n(VMs) in an availability set for similar workloads. This configuration ensures that during either a planned or\r\nunplanned maintenance event, at least one VM is available.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 1 of 22\n\nYou should deploy web application proxy servers in a separate DMZ network. You can divide one virtual network\r\ninto two subnets and then deploy the web application proxy servers in an isolated subnet. You can configure the\r\nnetwork security group settings for each subnet and allow only required communication between the two subnets.\r\nDeploy the network\r\nWhen creating a network, you can either create two subnets in the same virtual network or create two different virtual\r\nnetworks. We recommend using the single-network approach, as creating two separate virtual networks also requires\r\ncreating two separate virtual network gateways for communication purposes.\r\nCreate a virtual network\r\nTo create a virtual network:\r\n1. Sign in to the Azure portal with your Azure account.\r\n2. In the portal, search for and select Virtual networks.\r\n3. On the Virtual networks page, select + Create.\r\n4. In Create virtual network, go to the Basics tab and configure the following settings:\r\nConfigure the following settings under Project details:\r\nFor Subscription, select the name of your subscription.\r\nFor Resource group, either select the name of an existing resource group or select Create new to\r\nmake a new one.\r\nConfigure the following settings for Instance details:\r\nFor Virtual network name, enter a name for your virtual network.\r\nFor Region, select the region you want to create your virtual network in.\r\n5. Select Next.\r\n6. In the Security tab, enable any security service you want to use, then select Next.\r\n7. On the IP addresses tab, select the name of the subnet you want to edit. For this example, we're editing the default\r\nsubnet that the service automatically creates.\r\n8. On the Edit subnet page, rename the subnet to INT.\r\n9. Enter the IP address and Subnet size information for your subnet to define an IP address space.\r\n10. For Network security group, select Create new.\r\n11. For this example, enter the name NSG_INT and select OK, then select Save. You now have your first subnet.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 2 of 22\n\n12. To create your second subnet, select + Add a subnet.\r\n13. On the Add a subnet page, enter DMZ for the second subnet name, then enter information about your subnet into\r\nthe empty fields to define an IP address space.\r\n14. For Network security group, select Create new.\r\n15. Enter the name NSG_DMZ, select OK, then select Add.\r\n16. Select Review + create, then select Create.\r\nYou now have a virtual network that includes two subnets, each with an associated network security group.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 3 of 22\n\nSecure the virtual network\r\nA Network security group (NSG) contains a list of Access Control List (ACL) rules that allow or deny network traffic to\r\nyour VM instances in a virtual network. You can associate NSGs with either subnets or individual VM instances within that\r\nsubnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet.\r\nThe NSGs associated with your subnets automatically include some default inbound and outbound rules. You can't delete\r\ndefault security rules, but you can override them with rules that have a higher priority. And, you can add more inbound and\r\noutbound rules according to the level of security you want.\r\nNow, add a couple of rules to each of our two security groups. For the first example, let's add an inbound security rule to the\r\nNSG_INT security group.\r\n1. On your virtual network's Subnets page, select NSG_INT.\r\n2. On the left, select Inbound security rules, then select + Add.\r\n3. In Add inbound security rule, configure the rule with the following information:\r\nFor Source, enter 10.0.1.0/24.\r\nFor the Source port ranges, either leave it blank if you don't want to allow traffic or select an asterisk (*) to\r\nallow traffic on any port.\r\nFor Destination, enter 10.0.0.0/24.\r\nFor Service, select HTTPS. The service automatically fills the information fields for Destination port\r\nranges and Protocol depending on which service you choose.\r\nFor Action, select Allow.\r\nFor Priority, enter 1010.\r\nFor Name, enter AllowHTTPSFromDMZ.\r\nFor Description, enter Allow the HTTPS communication from DMZ.\r\n4. After you're finished, select Add.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 4 of 22\n\nThe new inbound security rule is now added to the top of the list of rules for NSG_INT.\r\n5. Repeat these steps with the values shown in the following table. In addition to the new rule you created, you must\r\nadd the following extra rules in the priority order listed to help secure your internal and DMZ subnet.\r\nNSG\r\nType of\r\nrule\r\nSource Destination Service Action Priority Name Descr\r\nNSG_INT Outbound Any\r\nService\r\nTag/Internet\r\nCustom\r\n(80/Any)\r\nDeny 100 DenyInternetOutbound\r\nNo ac\r\nto int\r\nNSG_DMZ Inbound Any Any\r\nCustom\r\n(Asterisk\r\n(*)/Any)\r\nAllow 1010 AllowHTTPSFromInternet\r\nAllow\r\nHTTP\r\nfrom\r\nintern\r\nthe D\r\nNSG_DMZ Outbound Any\r\nService\r\nTag/Internet\r\nCustom\r\n(80/Any)\r\nDeny 100 DenyInternetOutbound\r\nAnyth\r\nexcep\r\nHTTP\r\nintern\r\nblock\r\n6. After you finish entering the values for each new rule, select Add and proceed to the next until two new security\r\nrules are added for each NSG.\r\nAfter configuration, the NSG pages should look like the following screenshot:\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 5 of 22\n\nNote\r\nIf the virtual network requires client user certificate authentication, such as clientTLS authentication using X.509 user\r\ncertificates, you must enable TCP port 49443 for inbound access.\r\nCreate connection to on-premises\r\nYou need a connection to on-premises to deploy the DC in Azure. You can connect your on-premises infrastructure to your\r\nAzure infrastructure using one of the following options:\r\nPoint-to-site\r\nVirtual Network site-to-site\r\nExpressRoute\r\nWe recommend you use ExpressRoute if your organization doesn't require point-to-site or Virtual Network site-to-site\r\nconnections. ExpressRoute lets you create private connections between Azure datacenters and infrastructure that's on your\r\npremises or in a colocation environment. ExpressRoute connections also don't connect to the public internet, which makes\r\nthem more reliable, faster, and more secure. To learn more about ExpressRoute and the various connectivity options using\r\nExpressRoute, read ExpressRoute technical overview.\r\nCreate availability sets\r\nFor each role (DC/AD FS and WAP), create availability sets that contain at least two machines each. This configuration\r\nhelps achieve higher availability for each role. While creating the availability sets, you must decide which of the following\r\ndomains you want to use:\r\nIn a fault domain, VMs share the same power source and physical network switch. We recommend a minimum of\r\ntwo fault domains. The default value is 2 and you can leave it as-is for this deployment.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 6 of 22\n\nIn an update domain, machines restart together during an update. We recommend a minimum of two update domains.\r\nThe default value is 5, and you can leave it as-is for this deployment.\r\nTo create availability sets:\r\n1. Search for and select Availability sets in the Azure portal, then select + Create.\r\n2. In Create availability set, go to the Basics tab and enter the following information:\r\nUnder Project details:\r\nFor Subscription, select the name of your subscription.\r\nFor Resource group, either select an existing resource group or Create new to make a new one.\r\nUnder Instance details:\r\nFor Name, enter the name for your availability set. For this example, enter contosodcset.\r\nFor Region, select the region you want to use.\r\nFor Fault domains, leave it on the default value of 2.\r\nFor Update domains, leave it at the default value of 5.\r\nFor Use managed disks, select No (Classic) for this example.\r\n3. After you're done, select Review + create, then Create.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 7 of 22\n\n4. Repeat the previous steps to create a second availability set with the name contososac2.\r\nDeploy virtual machines\r\nThe next step is to deploy VMs that host the different roles in your infrastructure. We recommend a minimum of two\r\nmachines in each availability set. For this example, we create four VMs for the basic deployment.\r\nTo create VMs:\r\n1. Search for and select Virtual machines in the Azure portal.\r\n2. On the Virtual machines page, select + Create, then choose Azure virtual machine.\r\n3. In Create a virtual machine, go to the Basics tab and enter the following information:\r\nUnder Project details:\r\nFor Subscription, select the name of your subscription.\r\nFor Resource group, either select an existing resource group or Create new to make a new one.\r\nUnder Instance details:\r\nFor Virtual machine name, enter a name for your VM. For the first machine in this example, enter\r\ncontosodc1.\r\nFor Region, select the region you want to use.\r\nFor Availability options, select Availability set.\r\nFor Availability set, select contosodcset\r\nFor Security type, select Standard.\r\nFor Subscription, select the name of your subscription.\r\nFor Image, select the image you want to use, then select Configure VM generation and select Gen 1.\r\nUnder Administrator account:\r\nFor Authentication type, select SSH public key.\r\nFor Username, enter a user name to use for the account.\r\nFor Key pair name, enter a key pair name to use for the account.\r\nFor anything not specified, you can leave the default values.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 8 of 22\n\n4. When you're finished, select Next: Disks.\r\n5. In the Networking tab, enter the following information:\r\nFor virtual network, select the name of the virtual network that contains the subnets you created in the\r\nprevious section.\r\nFor Subnet, select your INT subnet.\r\nFor NIC network security group, select None.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 9 of 22\n\nFor anything not specified, you can leave the defaults.\r\n6. After you've made all your choices, select Review + create, then select Create.\r\nRepeat these steps using the information in this table to create the three remaining VMs:\r\nVirtual machine name Subnet Availability options Availability set Storage account\r\ncontosodc2 INT Availability set contosodcset contososac2\r\ncontosowap1 DMZ Availability set contosowapset contososac1\r\ncontosowap2 DMZ Availability set contosowapset contososac2\r\nThe settings don't specify NSG because Azure lets you use NSG at the subnet level. You can control machine network traffic\r\nby using the individual NSG associated with either the subnet or the network interface card (NIC) object. For more\r\ninformation, see What is a network security group (NSG).\r\nIf you're managing the DNS, we recommend you use a static IP address. You can use Azure DNS and refer to the new\r\nmachines by their Azure FQDNs in the DNS records for your domain. For more information, see Change a private IP\r\naddress to static.\r\nYour Virtual machines page should show all four VMs after the deployment completes.\r\nTo authenticate any incoming request, AD FS needs to contact the DC. To save the costly trip from Azure to on-premises DC\r\nfor authentication, we recommend you deploy a replica of the DC in Azure. In order to attain high availability, it's better to\r\ncreate an availability set of at least two DCs.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 10 of 22\n\nDomain controller Role Storage account\r\ncontosodc1 Replica contososac1\r\ncontosodc2 Replica contososac2\r\nWe recommend you do the following things:\r\nPromote the two servers as replica DCs with DNS\r\nConfigure the AD FS servers by installing the AD FS role using the server manager.\r\nCreate and deploy the internal load balancer (ILB)\r\nTo create and deploy an ILB:\r\n1. Search for and select Load Balancers in the Azure portal and choose + Create.\r\n2. In Create load balancer, enter or select this information in the Basics tab:\r\nUnder Project details:\r\nFor Subscription, select the name of your subscription.\r\nFor Resource group, either select an existing resource group or Create new to make a new one.\r\nUnder Instance details:\r\nFor Name, enter the name of your load balancer.\r\nFor Region, select the region you want to use.\r\nFor Type, select Internal.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 11 of 22\n\nLeave SKU and Tier as their defaults and then select Next: Frontend IP Configuration\r\n3. Select + Add a frontend IP configuration, then enter or select this information in the Add frontend IP\r\nconfiguration page.\r\nFor Name, enter a frontend IP configuration name.\r\nFor Virtual network, select the virtual network where you want to deploy your AD FS.\r\nFor Subnet, select INT, which was the internal subnet you created in the previous section.\r\nFor Assignment, select Static.\r\nFor IP address, enter your IP address.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 12 of 22\n\nLeave Availability zone as the default and then select Add.\r\n4. Select Next: Backend pools, then select + Add a backend pool.\r\n5. On the Add backend pool page, enter a name for the backend pool into the Name field. In the IP configurations\r\narea, select + Add.\r\n6. On the Add backend pool page, select a VM to align with the backend pool, select Add, then select Save.\r\n7. Select Next: Inbound Rules.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 13 of 22\n\n8. On the Inbound rules tab, select Add a load balancing rule, then enter the following information in the Add load\r\nbalancing rule page:\r\nFor Name, enter a name for the rule.\r\nFor Frontend IP address, select the address you created earlier.\r\nFor Backend pool, select the backend pool you created earlier.\r\nFor Protocol, select TCP.\r\nFor Port, enter 443.\r\nFor Backend port, select Create new, then enter the following values to create a health probe:\r\nFor Name, enter the name of the health probe.\r\nFor Protocol, enter HTTP.\r\nFor Port, enter 80.\r\nFor Path, enter /adfs/probe.\r\nFor Interval, leave it at the default value of 5.\r\nWhen you're finished, select Save.\r\nWhen you're done, select Save to save the inbound rule.\r\n9. Select Save to save the inbound rule.\r\n10. Select Review + create, then select Create.\r\nAfter you select Create and the ILB deploys, you can see it in the list of load balancers, as shown in the following\r\nscreenshot.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 14 of 22\n\nUpdate the DNS server with ILB\r\nUsing your internal DNS server, create an A record for the ILB. This setting ensures that all data transmitted to\r\nfs.contoso.com ends up at the ILB using the appropriate route. The A record should be for the federation service with the IP\r\naddress pointing to the IP address of the ILB. For example, if the ILB IP address is 10.3.0.8 and the federation service\r\ninstalled is fs.contoso.com, create an A record for fs.contoso.com pointing to 10.3.0.8.\r\nWarning\r\nIf you're using the Windows Internal Database (WID) for your AD FS database, set this value to temporarily point to your\r\nprimary AD FS server. If you don't make this temporary setting change, the web application proxy fails enrollment. After\r\nyou successfully enroll all web application proxy servers, change this DNS entry to point to the load balancer.\r\nNote\r\nIf your deployment is also using IPv6, create a corresponding AAAA record.\r\nTo ensure that web application proxy servers are able to reach the AD FS servers behind the ILB, create a record in the\r\n%systemroot%\\system32\\drivers\\etc\\hosts file for the ILB. The distinguished name (DN) should be the federation service\r\nname, such as fs.contoso.com. And the IP entry should be the ILB's IP address, which in this example is 10.3.0.8.\r\nWarning\r\nIf you're using the Windows Internal Database (WID) for your AD FS database, set this value to temporarily point to your\r\nprimary AD FS server. If you don't, the web application proxy fails enrollment. After you successfully enroll all web\r\napplication proxy servers, change this DNS entry to point to the load balancer.\r\nInstall the web application proxy role\r\nAfter you ensure that web application proxy servers are able to reach the AD FS servers behind ILB, you can next install the\r\nweb application proxy servers. Web application proxy servers don't need to be joined to the domain. Install the web\r\napplication proxy roles on the two web application proxy servers by selecting the Remote Access role. The server manager\r\nguides you to complete the WAP installation.\r\nFor more information on how to deploy WAP, see Install and Configure the web application proxy Server.\r\nCreate and deploy the internet-facing (public) load balancer\r\nTo create and deploy the internet-facing load balancer:\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 15 of 22\n\n1. In the Azure portal, select Load balancers and then choose Create.\r\n2. In Create load balancer, go to the Basics tab and configure the following settings:\r\nUnder Project details:\r\nFor Subscription, select the name of your subscription.\r\nFor Resource group, either select an existing resource group or Create new to make a new one.\r\nUnder Instance details:\r\nFor Name, enter the name of your load balancer.\r\nFor Region, select the region you want to use.\r\nFor Type, select Public.\r\nLeave SKU and Tier as their defaults and then select Next : Frontend IP Configuration\r\n3. Select + Add a frontend IP configuration, then enter or select this information in the Add frontend IP\r\nconfiguration page.\r\nFor Name, enter a frontend IP configuration name.\r\nFor IP type, select IP address.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 16 of 22\n\nFor Public IP Address, either select the public IP address you want to use from the drop-down list or select\r\nCreate to make a new one, then select Add.\r\n4. Select Next: Backend pools, then select + Add a backend pool.\r\n5. On the Add backend pool page, enter a name for the backend pool into the Name field. In the IP configurations\r\narea, select + Add.\r\n6. On the Add backend pool page, select a VM to align with the backend pool, select Add, then select Save.\r\n7. Select Next: Inbound Rules, then select Add a load balancing rule. In the Add load balancing rule page,\r\nconfigure the following settings:\r\nFor Name, enter a name for the rule.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 17 of 22\n\nFor Frontend IP address, select the address you created earlier.\r\nFor Backend pool, select the backend pool you created earlier.\r\nFor Protocol, select TCP.\r\nFor Port, enter 443.\r\nFor Backend port, enter 443.\r\nFor Health probe, enter the following values:\r\nFor Name, enter the name of the health probe.\r\nFor Protocol, enter HTTP.\r\nFor Port, enter 80.\r\nFor Path, enter /adfs/probe.\r\nFor Interval, leave it at the default value of 5.\r\nWhen you're finished, select Save.\r\nWhen you're done, select Save to save the inbound rule.\r\n8. Select Review + create, then select Create.\r\nAfter you select Create and the public ILB deploys, it should contain a list of load balancers.\r\nAssign a DNS label to the public IP\r\nTo configure the DNS label for the public IP:\r\n1. In the Azure portal, search for Public IP addresses, then select the IP address you want to edit.\r\n2. Under Settings, select Configuration.\r\n3. Under Provide a DNS label (optional), add an entry in the text field (like fs.contoso.com) that resolves to the DNS\r\nlabel of the external load balancer (like contosofs.westus.cloudapp.azure.com).\r\n4. Select Save to complete assigning a DNS label.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 18 of 22\n\nThe easiest way to test AD FS is by using the IdpInitiatedSignOn.aspx page. To do that, you must enable the\r\nIdpInitiatedSignOn on the AD FS properties.\r\nTo check if you have the IdpInitiatedSignOn property enabled:\r\n1. In PowerShell, run the following cmdlet on the AD FS server to set it to enabled.\r\nSet-AdfsProperties -EnableIdPInitiatedSignOnPage $true\r\n2. From any external machine, access https:\\//adfs-server.contoso.com/adfs/ls/IdpInitiatedSignon.aspx .\r\n3. You should see the following AD FS page:\r\n4. Try to sign in. If you sign in successfully, you should see a message appear, as shown in the following screenshot.\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 19 of 22\n\nThe template deploys a six-machine setup, with two machines each for Domain Controllers, AD FS, and WAP.\r\nAD FS in Azure Deployment Template\r\nYou can use an existing virtual network or create a new virtual network while deploying this template. The following table\r\nlists the parameters you can use to customize the deployment.\r\nParameter Description\r\nLocation The region you want to deploy the resources into.\r\nStorageAccountType The type of the Storage Account you want to create.\r\nVirtualNetworkUsage Indicates whether to create a new virtual network or use an existing one.\r\nVirtualNetworkName\r\nThe name of the virtual network. Mandatory on both existing or new virtual\r\nnetwork usage.\r\nVirtualNetworkResourceGroupName\r\nSpecifies the name of the resource group where the existing virtual network is\r\nlocated. When you use an existing virtual network, this option is a mandatory\r\nparameter so the deployment can find the ID of the existing virtual network.\r\nVirtualNetworkAddressRange\r\nThe address range of the new virtual network. Mandatory if creating a new\r\nvirtual network.\r\nInternalSubnetName\r\nThe name of the internal subnet. Mandatory for both new and existing virtual\r\nnetwork usage options.\r\nInternalSubnetAddressRange\r\nThe address range of the internal subnet, which contains the Domain\r\nControllers and AD FS servers. Mandatory if creating a new virtual network.\r\nDMZSubnetAddressRange\r\nThe address range of the DMZ subnet, which contains the Windows\r\napplication proxy servers. Mandatory if creating a new virtual network.\r\nDMZSubnetName\r\nThe name of the internal subnet, which is mandatory on both new and existing\r\nvirtual network usage options.\r\nADDC01NICIPAddress The internal IP address of the first Domain Controller. This IP address is\r\nstatically assigned to the DC and must be a valid IP address within the Internal\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 20 of 22\n\nParameter Description\r\nsubnet.\r\nADDC02NICIPAddress\r\nThe internal IP address of the second Domain Controller. This IP address is\r\nstatically assigned to the DC and must be a valid IP address within the Internal\r\nsubnet.\r\nADFS01NICIPAddress\r\nThe internal IP address of the first AD FS server. This IP address is statically\r\nassigned to the AD FS server and must be a valid IP address within the Internal\r\nsubnet.\r\nADFS02NICIPAddress\r\nThe internal IP address of the second AD FS server. This IP address is statically\r\nassigned to the AD FS server and must be a valid IP address within the Internal\r\nsubnet.\r\nWAP01NICIPAddress\r\nThe internal IP address of the first WAP server. This IP address is statically\r\nassigned to the WAP server and must be a valid IP address within the DMZ\r\nsubnet.\r\nWAP02NICIPAddress\r\nThe internal IP address of the second WAP server. This IP address is statically\r\nassigned to the WAP server and must be a valid IP address within the DMZ\r\nsubnet.\r\nADFSLoadBalancerPrivateIPAddress\r\nThe internal IP address of the AD FS load balancer. This IP address is statically\r\nassigned to the load balancer and must be a valid IP address within the Internal\r\nsubnet.\r\nADDCVMNamePrefix VM name prefix for Domain Controllers.\r\nADFSVMNamePrefix VM name prefix for AD FS servers.\r\nWAPVMNamePrefix VM name prefix for WAP servers.\r\nADDCVMSize The VM size of the Domain Controllers.\r\nADFSVMSize The VM size of the AD FS servers.\r\nWAPVMSize The VM size of the WAP servers.\r\nAdminUserName The name of the local Administrator of the VMs.\r\nAdminPassword The password for the local Administrator account of the VMs.\r\nAvailability sets\r\nAzure Load Balancer\r\nInternal Load Balancer\r\nInternet-facing load balancer\r\nStorage Accounts\r\nAzure Virtual Networks\r\nAD FS and web application proxy Links\r\nNext steps\r\nIntegrate your on-premises identities with Microsoft Entra ID\r\nConfigure and managing your AD FS using Microsoft Entra Connect\r\nHigh availability cross-geographic AD FS deployment in Azure with Azure Traffic Manager\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 21 of 22\n\nSource: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs"
	],
	"report_names": [
		"how-to-connect-fed-azure-adfs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9547b91a40af8341cdbe4ede3b217877cd02937.pdf",
		"text": "https://archive.orkl.eu/f9547b91a40af8341cdbe4ede3b217877cd02937.txt",
		"img": "https://archive.orkl.eu/f9547b91a40af8341cdbe4ede3b217877cd02937.jpg"
	}
}