This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses using the AD FS application activity report. Administrators will find that the process described here is simple to execute.

Active Directory Federation Services is used to provide single sign-on to cloud applications. There are significant benefits to moving AD FS applications to Azure AD for authentication, especially in terms of cost management, risk management, productivity, compliance, and governance. A previous article outlined the process by identifying specific migration steps. The AD FS application activity report in the Azure portal helps with this process by identifying which of the applications are capable of being migrated to Azure AD.  

The activity report in the Azure Portal helps to quickly identify which of the applications are capable of being migrated to Azure AD. It can assess all applications for compatibility with migration.  It checks for any issues and gives guidance on preparing individual applications for migration. In addition, the AD FS application activity report can help with:

1)      Discovering AD FS Applications and scope for migration because it lists all AD FS applications in the organization that have had an active user login in the last 30 days. This indicates that these applications are ready for migration to Azure AD. But this report doesn’t display Microsoft related relying parties in AD FS such as Office 365. Relying parties with name ‘urn:federation:MicrosoftOnline’

2)      Prioritizing the applications for migration by getting the number of unique users who have signed into the application in the past 1, 7 or 30 days to help determine the severity of the risk of migrating the application.

3)      Running migration tests and fixing issues by reporting the service that runs tests to determine if an application is ready to migrate. The results are displayed in the AD FS application activity report as a migration status. If the AD FS configuration is not compatible with an Azure AD configuration, the report also gives specific guidance on how to address the configuration in Azure AD.

The data is made available to the following roles: admin role, global administrator role, report reader, security reader, application administrator, or cloud application administrator.  The AD FS must be actively used to access applications. Azure AD Connect health must be enabled in the Azure AD tenant. The Azure AD Connect Health for AD FS agent must be installed.

The AD FS applications that can be migrated will be listed under Enterprise Application section of the Azure Active Directory page in the Azure Portal. The Usage and Insights from the activity page will open a list of all AD FS applications in the organization.

The activity list also displays the migration status as Ready to migrate, needs review and additional steps are required. The migration list will detail potential migration issues. A message can be clicked to open additional migration rules for details. A full list of the properties tested can be seen with the AD FS application configuration tests table.