For organizations that deploy AD FS for single sign-on with Office 365, it is a http://xmasetc.com/5-revision-v1/christmas-in-the-city/tree-ornament/?p=5856 browse around these guys CRITICAL component just as an on-premises Active Directory infrastructure is. Whilst you may have your mailboxes hosted on Exchange Online, if your on-prem AD FS is not accessible for whatever reason, users cannot authenticate to access their mailbox.
There are a number of ways to create a highly available environment, starting with load balancing the ADFS and WAP servers in a single location, then possibly them geo load balancing across multiple datacenters and probably the best option to extending your infrastructure into Azure and implementing the AD FS farm on Azure IaaS.
Another option, and one which should be done anyway due to it costing nothing to implement, is to use the Password Synchronization feature of AAD Connect (formerly DirSync) as a disaster recovery option should your AD FS become unavailable.
Enabling Password Sync is simple (see this blog). The latest release automatically updates when a new release becomes available but this can be disables (follow this blog). Also you can force a sync if you cannot wait for the 30 min sync schedule (which is default and can be changed by following this blog).
So lets say a disaster has occurred and AD FS is unavailable. Just note this should be a disaster scenario and not because your certificate has expired or you are doing Windows Updates on the ADFS infrastructure.
Microsoft originally provided guidance on the process to temporarily failover to synchronized passwords from AD FS. However, this is awful and doesn’t work or help you in this disaster scenario. So this is how to do it the quick and easy way. The biggest issue with the Microsoft documentation is that because we have a “disaster” we cannot access our ADFS environment and therefore you cant go through that documentation and end up with the following error:
The command you need to use because the ADFS infrastructure is unavailable is:
Set-MsolDomainAuthentication –DomainName server2016.online –Authentication Managed
In the screenshot below, I started out with my “server2016.online” domain being configured as a Federated domain and then was able to successfully change it to a Managed domain.
Now your users are able to successfully authenticate to Office 365 (SharePoint / OneDrive / Skype for Business / Exchange) using their on-prem password that is sync’d with AAD Connect.
So now the panic is over and ADFS is back up and running again, all you need to do is run the following command to convert the domain back to a Federated domain:
Convert-MsolDomainToFederated –DomainName server2016.online
You can run Get-MsolFederationProperty which will check the status of the token-signing certificate as well as the ADFS health checks.