This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 16%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGF%3C/text%3E%3C/svg%3E)
Hi,
I have setup an enviroment with an ADFS ( WS 2019) and an external Identity Provider.
My goal is that once a user has been authenticated by the external Identiy Provider that ADFS will query AD to get retrieve his / her permissions (i.e. based on AD Security membership or check if the user is disabled or if the user has been deleted).
Is it supported such scenario ?
Any helps about what I should do ?
Thanks in advance
Giovanni
Yes it is possible to do that as long as the external identity provider can provide a unique identifier to anchor the user to an object in AD DS. If you have a specific example (with the actual claim types and the logic for the mapping and the group lookup up) we can help you with the rules here.
By the way, why use an external provider if at the end you are authenticating AD DS user? Why not using the Active Directory claim provider directly?
Hi @Pierre Audonnet - MSFT ,
Thanks for your help.
With some luck, I have been able to resolve these issues.
Regarding your question, I'm using the Identity Provider to introduce a passwordless authentication for AD DS users because passwordless authentication is not available in AD FS natively.
Thanks,
Giovanni
Well, you can do Certificate Based Authentication, Windows Hello for Business, Azure MFA as a first factor for authentication and any of your third party MFA passwordless provider as a primary authentication. So ADFS does support passwordless methods natively.