Author: Adrian Johnson (adrian207@gmail.com)
Version: 1.0.0
Date: October 2025
A comprehensive PowerShell solution for Active Directory Federation Services (ADFS) deployment, configuration, security, and troubleshooting.
This solution provides modular and portable PowerShell scripts for ADFS operations that can run on any Windows Server environment. It covers the complete ADFS lifecycle from deployment to troubleshooting.
- ADFS-Core.psm1 - Core ADFS operations including farm installation, relying party trusts, and claim rules
- ADFS-Federation.psm1 - Federation capabilities including organization federation, Office 365 integration, and multi-forest scenarios
- ADFS-Security.psm1 - Security features including MFA integration, certificate management, conditional access, and smartcard authentication
- ADFS-Troubleshooting.psm1 - Troubleshooting capabilities including diagnostics, monitoring, and automated issue resolution
- Deployment - Farm deployment and initial configuration
- Configuration - Ongoing configuration and management
- Security - Security hardening and compliance
- Troubleshooting - Diagnostics and issue resolution
- Enterprise-Scenarios - Advanced enterprise use cases
- Windows Server 2016 or later
- PowerShell 5.1 or later
- Administrator privileges
- Domain membership
- ADFS Windows features
-
Deploy ADFS Farm
.\Scripts\Deployment\Deploy-ADFSFarm.ps1 -FederationServiceName "fs.company.com" -ServiceAccount "DOMAIN\adfs-service" -CertificateThumbprint "1234567890ABCDEF"
-
Create Relying Party Trust
Import-Module .\Modules\ADFS-Core.psm1 New-ADFSRelyingPartyTrust -Name "Salesforce" -Identifier "https://salesforce.com" -MetadataUrl "https://salesforce.com/federationmetadata"
-
Configure MFA Integration
Import-Module .\Modules\ADFS-Security.psm1 Set-ADFSMFAIntegration -MFAProvider "AzureMFA" -EnableConditionalMFA -EnablePerAppMFA
Install-ADFSFarm- Install and configure ADFS farmNew-ADFSRelyingPartyTrust- Create relying party trustSet-ADFSClaimRule- Configure claim rulesGet-ADFSStatus- Get ADFS service statusTest-ADFSConnectivity- Test ADFS connectivity
New-ADFSOrganizationFederation- Create organization federationSet-ADFSOffice365Federation- Configure Office 365 federationNew-ADFSMultiForestFederation- Create multi-forest federationSet-ADFSB2BFederation- Configure B2B federationGet-ADFSFederationStatus- Get federation statusTest-ADFSFederationConnectivity- Test federation connectivity
Set-ADFSMFAIntegration- Configure MFA integrationSet-ADFSCertificateManagement- Configure certificate managementSet-ADFSConditionalAccess- Configure conditional access policiesSet-ADFSSmartcardAuthentication- Configure smartcard authenticationGet-ADFSSecurityStatus- Get security statusTest-ADFSSecurityConnectivity- Test security functionality
Get-ADFSDiagnostics- Perform comprehensive diagnosticsTest-ADFSConnectivity- Test connectivity and functionalityGet-ADFSEventLogs- Retrieve and analyze event logsRepair-ADFSIssues- Automatically repair common issuesGet-ADFSPerformanceMetrics- Retrieve performance metricsGet-ADFSTroubleshootingStatus- Get troubleshooting status
The solution supports 30+ enterprise scenarios including:
- Single Sign-On (SSO) for External Web Applications
- Federation Between Organizations
- Office 365 / Microsoft 365 Federation
- Multi-Factor Authentication Integration
- Smartcard / Certificate-Based Authentication
- Claims-Based Access Control
- Single Sign-On for Legacy On-Prem Apps
- ADFS + Web Application Proxy (WAP) Perimeter Access
- OAuth2 / OpenID Connect Enablement
- Custom Branding and Home Realm Discovery
- Federation with Azure AD (Hybrid Identity)
- B2B and Partner Federation
- ADFS as OAuth Authorization Server for APIs
- Conditional Access and Location-Based Rules
- Integration with Citrix or VMware Horizon
- Multi-Forest or Multi-Domain Federation
- Service Provider Federation (SaaS Hub Model)
- Consumer-Facing Web Portals
- Integration with Microsoft Entra Conditional Access
- Passwordless or Passkey Authentication Pilot
- ADFS as an Identity Broker (Token Translation)
- Relying Party Access Auditing
- Smart Access via Device Registration (DRS)
- Failover and Geo-Redundancy
- Disaster Recovery Federation Service
- Auditable Access for Compliance
- Application Proxy Authentication
- ADFS and Conditional MFA by Application
- Migration Path to Entra ID (Azure AD)
- Integration with Custom Line-of-Business Apps
- Multi-Factor Authentication (MFA) - Support for Azure MFA, Duo, RSA, and custom providers
- Certificate Management - SSL, token signing, and encryption certificate management
- Conditional Access - Location-based, device-based, risk-based, and time-based access controls
- Smartcard Authentication - PKI integration and certificate-based authentication
- Audit Logging - Comprehensive audit logging and SIEM integration
- Compliance - Support for SOX, HIPAA, GDPR, PCI, and CCPA compliance
- Comprehensive Diagnostics - Service status, configuration, and connectivity tests
- Event Log Analysis - Automated event log analysis with recommendations
- Performance Monitoring - Real-time performance metrics and trend analysis
- Automated Repair - Automatic detection and repair of common issues
- Connectivity Testing - Internal and external access testing
- Certificate Validation - Certificate health monitoring and validation
- JSON Configuration - Centralized configuration management
- Template-Based Deployment - Reusable deployment templates
- Environment-Specific Configs - Support for multiple environments
- Version Control - Git-based version control and change tracking
- Performance Counters - CPU, memory, disk, and network monitoring
- Event Log Monitoring - Automated event log monitoring and alerting
- Certificate Monitoring - Certificate expiration and health monitoring
- Trust Monitoring - Trust health and connectivity monitoring
- SIEM Integration - Integration with security information and event management systems
- Configuration Backup - Automated configuration backup before changes
- Disaster Recovery - Disaster recovery procedures and documentation
- High Availability - Support for high availability and failover scenarios
- Geo-Redundancy - Multi-site deployment and redundancy
# Deploy ADFS farm
Install-ADFSFarm -FederationServiceName "fs.company.com" -ServiceAccount "DOMAIN\adfs-service" -CertificateThumbprint "1234567890ABCDEF"
# Create relying party trust
New-ADFSRelyingPartyTrust -Name "Salesforce" -Identifier "https://salesforce.com" -MetadataUrl "https://salesforce.com/federationmetadata"
# Configure claim rules
Set-ADFSClaimRule -TrustName "Salesforce" -RuleName "Email Claim" -RuleType "PassThrough" -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"# Configure Office 365 federation
Set-ADFSOffice365Federation -TenantDomain "company.onmicrosoft.com" -EnableHybridIdentity -EnablePasswordSync -EnableSeamlessSSO -EnableConditionalAccess
# Configure MFA integration
Set-ADFSMFAIntegration -MFAProvider "AzureMFA" -EnableConditionalMFA -EnablePerAppMFA -EnableLocationBasedMFA# Create organization federation
New-ADFSOrganizationFederation -PartnerOrganization "PartnerCorp" -PartnerDomain "partner.com" -PartnerMetadataUrl "https://fs.partner.com/federationmetadata/2007-06/federationmetadata.xml" -FederationProtocol "SAML" -EnableMutualTrust -EnableClaimsMapping# Perform comprehensive diagnostics
Get-ADFSDiagnostics -IncludePerformanceCounters -IncludeEventLogs -IncludeCertificateValidation -IncludeTrustValidation
# Test connectivity
Test-ADFSConnectivity -TestInternalAccess -TestExternalAccess -TestTrustConnectivity -TestPerformance
# Get event logs
Get-ADFSEventLogs -LogSource "ADFS" -EventLevel "Error" -TimeRange "Last24Hours" -IncludeAnalysis
# Repair issues
Repair-ADFSIssues -RepairServiceIssues -RepairConfigurationIssues -RepairCertificateIssues -RepairTrustIssues -EnableBackup-
Security
- Enable MFA for all external access
- Use strong certificates with proper key sizes
- Implement conditional access policies
- Enable comprehensive audit logging
-
Performance
- Monitor performance counters regularly
- Implement proper load balancing
- Use appropriate hardware sizing
- Monitor certificate expiration
-
Reliability
- Deploy multiple ADFS servers for high availability
- Implement proper backup procedures
- Test disaster recovery procedures
- Monitor service health continuously
-
Compliance
- Enable audit logging for compliance requirements
- Implement data retention policies
- Regular security assessments
- Document all configurations
For issues, questions, or contributions, please refer to the project documentation or contact the development team.
This project is licensed under the MIT License - see the LICENSE file for details.
- v1.0.0 - Initial release with core ADFS functionality
- Core ADFS operations
- Federation capabilities
- Security features
- Troubleshooting tools
- Enterprise scenarios support