Ignite2017 - News in AD FS 2016 and "Death to Passwords"

Death to passwords

First of all Microsoft keeps pushing their no password strategy (aka "Death to Passwords"), instead they want us to start using other solutions. The main reasoning behind this is because they really do not want our corporate credentials being compromised - and hey, who wants that? The way to achieve this is to not use the AD-password, ie "Death to Passwords" by either:

  • Windows Hello for business (bio-metric passwords or pin which are unique for each device). This only works with Windows 10 devices.
  • The other option is with Certificate/device authentication, which has been around for a couple of years and works with managed devices.
  • The last and most supported step is through MFA (Multi-Factor Authentication) as primary authentication. This solution will work with ALL devices (even unmanaged devices).

AD FS news

Another way to protect the user accounts from brute-force attacks is the new feature called Extranet lockout in AS FS. Basically this feature will track good and known IP's for every user. If repeated bad password attempts are made for a user's password the account will be disabled from all login attempts except from the tracked good IP's. So the user will not be DDOS'ed. Here is a picture illustrating this feature:
Extranet lockout

Another new feature for AD FS worth mentioning is the new PowerShell-cmdlet get-AdfsAccountActivity which shows the user's good/known IP-addresses and lockout data. Microsoft also talked about the rapid restore tool which takes a serialized backup of the whole database for disaster recovery and backup. Here is a full list of new features coming for AD FS:
AD FS new features

Enjoy and stay tuned!