Category: Active Directory

How to:

before to configure ADFS smart lockout, remove your account from GAD protected users group, else you can get access denied


Primary Domain Controller Requirement

AD FS 2016 offers a parameter that allows fallback to another domain controller when the PDC is unavailable.

  • ExtranetLockoutRequirePDC <Boolean> When enabled, extranet lockout requires a primary domain controller (PDC). When disabled, extranet lockout will fallback to another domain controller in case the PDC is unavailable.The following example shows the cmdlet to enable lockout with the PDC requirement disabled:
    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

PS C:\WINDOWS\system32> get-adfsproperties | select *extra*

ExtranetLockoutThreshold  : 8
ExtranetLockoutMode       : ADPasswordCounter
ExtranetLockoutEnabled    : True
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : True

PS C:\WINDOWS\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
PS C:\WINDOWS\system32> Update-AdfsArtifactDatabasePermission -Credential $cred
PS C:\WINDOWS\system32> Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

This command will set the extranet lockout mode to AdfsSmartLockout.  Verify all nodes have up to date patches and appropriate database permissions have been assigned by
running Update-AdfsArtifactDatabasePermission.  See for more information.
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.
PS C:\WINDOWS\system32> restart-service adfssrv
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…


Observing Audit Events

AD FS will write extranet lockout events to the security audit log:

  • When a user is locked out (reaches the lockout threshold for unsuccessful login attempts)
  • When AD FS receives a login attempt for a user who is already in lockout state

While in log only mode, you can check the security audit log for lockout events. For any events found, you can check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.


Enable enforce mode

Once you have been running in log only mode for sufficient time for AD FS to learn login locations and to observe any lockout activity, and once you are comfortable with the lockout threshold and observation window, smart lockout can be moved to “enforce” mode using the PSH cmdlet below:

PS C:\>Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce

For the new mode to take effect, restart the AD FS service on all nodes in the farm

PS C:\>Restart-service adfssrv

ADFS 2019

ADFS 2019 what’s new:

ADFS 2019 on Windows server 2019 has just been release recently, but I do not recommend to put in production because you can discover some side effects with AADConnect, Office 365, MFA onprem server service running on the ADFS servers and your current federated-based applications not yet compatible (ie Cisco Webex, Cisco Jabber …)

AD – DCShadow attack

Description of the attack:


Detection of the attack:


ATA Azure ATP detection:

Other articles:





ADFS – export RP and its claims

If you choose not to use the AD FS Rapid Restore Tool, then at a minimum, you should export the “Microsoft Office 365 Identity Platform” relying party trust and any associated custom claim rules you may have added. You can do this via the following PowerShell example

(Get-AdfsRelyingPartyTrust -Name “Microsoft Office 365 Identity Platform”) | Export-CliXML “C:\temp\O365-RelyingPartyTrust.xml”

Implement password hash synchronization:


Migrating from federated authentication (ADFS) to password hash synchronization:


AAD Connect configuration documenter is a tool to generate documentation of an Azure AD Connect installation. Currently, the documentation is only limited to the Azure AD Connect sync configuration.

The current capabilities of the tool include:

  • Documentation of the complete configuration of Azure AD Connect sync.
  • Documentation of any changes in the configuration of two Azure AD Connect sync servers or changes from a given configuration baseline.
  • Generation of the PowerShell deployment script to migrate the sync rule differences or customisations from one server to another.

There are four main options on how you can configure SSO:


ProxyAddress attribute is used by different applications and it can store different type of user addresses (sip, smtp, x500).

If you sync accounts with non-verified domain to O365, those addresses can be replaced with the default domain.

Some interesting reading regarding this topic:

ADConnect not Syncing ProxyAccount for email Alias from on Premise AD to Azure AD

List of attributes that are synced by the Azure Active Directory Sync Tool

A mail user who has proxy addresses that use non-verified domains isn’t synced in an Exchange hybrid deployment

Wrong domain address when synchronizing from on premise AD

Azure AD Connect sync: Attributes synchronized to Azure Active Directory