If your environment still runs Active Directory Federation Services (ADFS) — and most large enterprises that adopted federation between 2015 and 2020 still do — you are sitting on the single highest-value target in your identity stack. An attacker who extracts the ADFS token-signing certificate can mint SAML tokens for any user, including domain admins, with no further AD interaction and no Kerberos or NTLM tickets to detect. That class of attack is Golden SAML, and it’s exactly what hit SolarWinds-era victims in 2020. This is the practical ADFS security hardening guide for 2026: rotating signing certificates, auditing claim rules, enforcing Extranet Lockout, blocking the mimikatz / ADFSDump extraction path, and the migration path to Microsoft Entra ID for the eventual decommission.

TL;DR — the ADFS hardening priority list

If you only have time for the five highest-impact controls:

  1. Rotate the token-signing certificate, then rotate it again 14 days later. Anyone holding an old cert is locked out.
  2. Block local logon to ADFS servers for everyone except a tiered admin group. ADFS servers are Tier 0 — treat them like Domain Controllers.
  3. Enable Extranet Lockout with AdfsSmartLockoutEnforce mode. Without it, ADFS is a password-spray funnel.
  4. Audit every claim rule for transformations that bypass MFA or grant excessive scope. Most environments have unused claim rules accumulated over five years.
  5. Forward Event IDs 1200/1201/1202/411/412 to your SIEM. These are the Golden SAML, brute force, and token-replay signals — every ADFS-relevant detection lives in one of those Event IDs.

After those five, the remaining hardening (WS-Trust 1.3 disable, smart account lockout, PowerShell auditing, network segmentation) closes the long tail.

What is ADFS, and why is it still relevant?

Active Directory Federation Services (ADFS) is Microsoft’s on-premises identity federation service. It accepts authentication from Active Directory and issues SAML 2.0 / WS-Federation / OAuth 2.0 tokens that downstream relying parties (Office 365, Salesforce, ServiceNow, custom apps) trust. In a federated topology the relying party doesn’t see AD credentials — it sees signed tokens minted by ADFS.

ADFS was the default Microsoft identity-federation path from 2009 (Server 2008 R2) through about 2018. After that, Microsoft Entra ID (formerly Azure AD) took over as the recommended modern path — but a lot of environments are still running ADFS in 2026 because:

  • Long-tail Office 365 migrations that started on ADFS and never finished the cut-over to Entra
  • Hybrid identity where ADFS is the bridge to on-prem RP-STS relying parties
  • Compliance environments (US Federal, defence contractors) that prefer on-prem identity
  • Legacy SaaS apps with custom SAML configurations tied to the ADFS issuer URL

If you have ADFS, two things are true: (a) you should plan to decommission it (Microsoft has signalled this for years and the Entra ID path is materially safer); and (b) until you finish that migration, ADFS must be hardened to the same standard as a Domain Controller.

Why ADFS hardening matters now

Three reasons to put ADFS at the top of your 2026 hardening backlog:

1. Golden SAML is a one-shot domain compromise. An attacker who reads the ADFS token-signing certificate (specifically the private key, stored encrypted on the ADFS server filesystem and in the database) can mint arbitrary SAML tokens. No AD interaction. No Kerberos tickets. No NTLM hashes. They appear at Office 365 (and any other federated RP) as any user they want, including the most privileged. The 2020 SolarWinds incident demonstrated this against multiple US federal agencies and enterprise victims — UNC2452 / APT29 extracted the ADFS signing key and minted tokens for high-value accounts at will.

2. Mimikatz and ADFSDump trivialise the extraction.

  • mimikatz.exe "vault::cred /patch" "exit" reads cached credentials from ADFS service accounts
  • mimikatz "lsadump::backupkeys" / "lsadump::dpapi" recovers the DPAPI master key used to encrypt the signing cert
  • The dedicated ADFSDump.exe (Doug Bienstock, Mandiant) and aadinternals PowerShell module make the extraction a one-liner for anyone with local SYSTEM on the ADFS server

If your ADFS server is reachable from a Tier 1 admin’s workstation, and that workstation is compromised, Golden SAML is one lateral hop away.

3. ADFS is often the LEAST-hardened machine in the identity stack. Many environments hardened DCs aggressively, deployed LAPS, enabled Credential Guard — and left the ADFS server with default settings, an old token-signing cert that has never been rotated, the WS-Trust 1.3 endpoint exposed to the internet, and no Extranet Lockout. The blast radius is asymmetric: ADFS compromise = federation compromise = every SaaS app trusts forged tokens.

ADFS attack surface

The four major paths to ADFS compromise, and what each enables:

AttackWhereOutcomeMitigated by
Golden SAML (token signing cert theft)ADFS server filesystem + DPAPIForge arbitrary SAML tokens; impersonate any userCert rotation, ADFS-server tiering, signing key in HSM
Password spray via WS-Trust 1.3External /adfs/services/trust/2005/usernamemixed endpointAccount credentials at scale; no MFA path on legacy WS-TrustDisable WS-Trust 1.3; Extranet Lockout; smart lockout
Claim-rule injection / abuseADFS configuration databasePrivilege escalation through transformed claims; MFA bypassQuarterly claim-rule audit; change-control on relying parties
Service-account compromisesvc-adfs AD account; local admin on ADFS hostDirect access to ADFS configuration; signing key extractionLAPS on ADFS hosts; gMSA for ADFS service; restricted local admins

The full hardening plan addresses all four paths in priority order.

How to harden ADFS step-by-step

How To

How to harden ADFS (Active Directory Federation Services) in 2026

Estimated time: 8 hr

  1. Rotate the token-signing certificate

    Open the ADFS Management console (or Get-AdfsCertificate). Generate a new token-signing certificate (Update-AdfsCertificate -CertificateType Token-Signing). Federation Trust Service publishes the new certificate via the federation metadata; relying parties pick it up automatically if they consume metadata. After 14 days, run Set-AdfsCertificate -CertificateType Token-Signing -IsPrimary -Thumbprint <new> and remove the old certificate. Anyone holding a stolen old cert can no longer mint valid tokens.
  2. Move ADFS servers to Tier 0 with strict tiered admin

    ADFS servers are identity-tier (Tier 0). Block local logon to ADFS hosts for everyone except a small dedicated ADFS-Admins group. Use secpol.msc → User Rights Assignment and remove standard admin groups from the Allow log on locally policy. Deploy LAPS on ADFS servers — local admin password must be rotated like DCs.
  3. Enable Extranet Lockout with smart-lockout mode

    Run Set-AdfsProperties -ExtranetLockoutEnabled $true -ExtranetLockoutMode AdfsSmartLockoutEnforce -ExtranetLockoutRequirePDC $false -ExtranetLockoutThreshold 5 -ExtranetObservationWindow (New-TimeSpan -Minutes 15). This caps password attempts from the extranet before the request reaches AD — closes the password-spray funnel without locking real AD accounts.
  4. Disable WS-Trust 1.3 unless something explicitly needs it

    WS-Trust 1.3 endpoints (/adfs/services/trust/2005/usernamemixed, /adfs/services/trust/13/usernamemixed) are the legacy auth path that does not require MFA. Most modern apps don’t need them. Disable: Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/usernamemixed -Proxy $false; Disable-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/usernamemixed. Inventory anything still authenticating via WS-Trust before disabling — those are usually old Exchange ActiveSync clients or legacy SaaS connectors.
  5. Enforce MFA on every relying party trust

    Per relying party (Get-AdfsRelyingPartyTrust), set the access control policy to require MFA. The recommended modern policy is Permit everyone and require MFA. For relying parties that genuinely don’t support MFA (rare in 2026), document the exception and put compensating controls (network restrictions, IP-based access) in place.
  6. Audit every claim rule for unused transformations and excessive scope

    Get-AdfsRelyingPartyTrust | ForEach-Object { $_.Name; $_.IssuanceTransformRules }. Look for: claim rules that explicitly elevate group membership; claim rules that pass through tokenGroupsGlobalAndUniversal (broad group disclosure); claim rules referencing apps that no longer exist. Remove unused rules; tighten broad rules to specific allowlists.
  7. Configure PowerShell scriptblock logging on ADFS servers

    GPO: Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → Turn on PowerShell Script Block Logging = Enabled. Forward Event 4104 from ADFS servers to your SIEM. ADFSDump, mimikatz dumps, and certificate exports are all visible in scriptblock logs.
  8. Enable advanced ADFS auditing and forward to SIEM

    On ADFS server: Set-AdfsProperties -AuditLevel Verbose; on the AD audit policy: enable subcategory ‘Application Generated’ under Object Access. Forward Event IDs 1200/1201/1202 (token issuance) and 411/412 (token validation failure) to Splunk / Sentinel. These are the Golden SAML detection signals — token-issuance volume from unusual accounts is the canary.
  9. Network-segment ADFS servers behind a Web Application Proxy

    Place the internal ADFS farm in a Tier 0 VLAN. Expose only the Web Application Proxy (WAP) tier to the DMZ. Block direct access from corporate workstations to the ADFS farm — only WAPs and ADFS Admins should reach them. Apply Windows Firewall rules and network ACLs.
  10. Plan and execute migration to Microsoft Entra ID

    Run Test-AzureADAuthPolicyMigration (or the Entra ID Connect health tool) to identify relying parties that can move to Entra ID directly. Apps using SAML 2.0 or WS-Fed migrate cleanly; OAuth/OIDC apps migrate even more cleanly. Document a 6-12 month decommission plan: each relying party moves from ADFS to Entra ID, ADFS retains a smaller scope, eventually only legacy WS-Trust apps remain (which usually means decommissioning the app entirely).

Each step is unpacked below with the technical detail you’ll need.

Step 1: Token-signing certificate rotation (the highest-priority control)

The token-signing certificate’s private key is what makes Golden SAML possible. If an attacker has read this key (typically via mimikatz extracting the DPAPI master and ADFSDump pulling the cert from the ADFS configuration DB), they can mint arbitrary SAML tokens for any user.

The defence is frequent rotation. Microsoft’s recommendation: rotate annually. Best practice for security-conscious environments: rotate every 90 days. After any suspected compromise: rotate immediately, twice, with a 14-day gap.


# Show the current signing certificate
Get-AdfsCertificate -CertificateType Token-Signing |
  Format-List Thumbprint, NotBefore, NotAfter, IsPrimary, CertificateType

# Generate a new one (becomes secondary; relying parties get it via federation metadata)
Update-AdfsCertificate -CertificateType Token-Signing

# Wait 7–14 days for relying parties to pick up the new cert via metadata
# Then promote the new cert to primary and remove the old
$new = Get-AdfsCertificate -CertificateType Token-Signing |
  Where-Object { -not $_.IsPrimary }
Set-AdfsCertificate -Thumbprint $new.Thumbprint -CertificateType Token-Signing -IsPrimary

# Remove the old certificate
$old = Get-AdfsCertificate -CertificateType Token-Signing |
  Where-Object { -not $_.IsPrimary }
Remove-AdfsCertificate -Thumbprint $old.Thumbprint -CertificateType Token-Signing

For maximum security: generate the token-signing certificate in a Hardware Security Module (HSM). The private key never touches the ADFS filesystem — even local SYSTEM on the ADFS host can’t extract it. Microsoft documents HSM integration for ADFS using nShield and similar; pair with the Microsoft Learn ADFS docs.

Step 2: Tier-0 isolation of ADFS servers

ADFS servers are part of your identity stack — Tier 0 — alongside Domain Controllers. The hardening rule is “no Tier 1/2 admin ever logs on locally to an ADFS server.”

Restrict local logon (GPO at the ADFS OU):

Computer Configuration
 └ Policies
   └ Windows Settings
     └ Security Settings
       └ Local Policies
         └ User Rights Assignment
           ├ Allow log on locally           = ADFS-Admins, Local Administrators
           ├ Deny log on locally            = Domain Users
           ├ Deny log on through RDS        = Domain Users
           └ Allow log on through RDS       = ADFS-Admins

Deploy LAPS on ADFS servers so the local admin password rotates daily and the read permission is scoped to Tier 0 admins only. See the Windows LAPS implementation guide — the same DSRM backup workflow applies to ADFS.

Use a gMSA (Group Managed Service Account) for the ADFS service. Replaces the default NT SERVICE\adfssrv or domain service account. gMSA passwords rotate automatically and there’s no human-knowable password to steal.

# On the ADFS server
New-ADServiceAccount -Name svc-adfs -DNSHostName adfs.corp.local `
  -PrincipalsAllowedToRetrieveManagedPassword "ADFS-Servers"
Install-ADServiceAccount svc-adfs

Then re-configure ADFS to use corp\svc-adfs$ as the service account.

Step 3: Extranet Lockout — closing the password-spray funnel

By default, ADFS’s external endpoints will happily accept thousands of password attempts per minute. Without Extranet Lockout, an attacker can password-spray your entire user base via the ADFS WS-Trust endpoint.


Set-AdfsProperties `
  -ExtranetLockoutEnabled $true `
  -ExtranetLockoutMode AdfsSmartLockoutEnforce `
  -ExtranetLockoutThreshold 5 `
  -ExtranetObservationWindow (New-TimeSpan -Minutes 15) `
  -ExtranetLockoutRequirePDC $false

# Verify
Get-AdfsProperties | Select-Object Extranet*

The AdfsSmartLockoutEnforce mode (vs. AdfsSmartLockoutLogOnly) actually blocks at the ADFS layer — accounts can’t accumulate failed-logon counts against AD. The RequirePDC $false ensures the lockout enforcement works even if the PDC emulator is unreachable.

Step 4: Disabling WS-Trust 1.3

WS-Trust 1.3 (and 2005) are the legacy authentication endpoints that pre-date modern auth. They accept username/password directly and do not enforce MFA — they’re the password-spray and credential-theft surface ADFS exposes. Modern apps don’t need them.


# Inventory which endpoints are currently enabled and proxy-exposed
Get-AdfsEndpoint | Where-Object { $_.Enabled -and $_.Proxy } |
  Select-Object FullUrl, Enabled, Proxy

# Disable the WS-Trust legacy mixed endpoints from the proxy
Set-AdfsEndpoint -TargetAddressPath '/adfs/services/trust/2005/usernamemixed' -Proxy $false
Set-AdfsEndpoint -TargetAddressPath '/adfs/services/trust/13/usernamemixed' -Proxy $false
Set-AdfsEndpoint -TargetAddressPath '/adfs/services/trust/2005/windowstransport' -Enabled $false
Set-AdfsEndpoint -TargetAddressPath '/adfs/services/trust/13/windowstransport' -Enabled $false

# Restart the ADFS service
Restart-Service adfssrv

Before disabling, audit which clients are currently authenticating via WS-Trust. Look in your ADFS audit logs for Event 1200 entries with Activity = TokenIssuanceFromAuthentication and AuthenticationProtocol = WSTrust. Common culprits:

  • Older Exchange ActiveSync devices (iOS pre-13, Android pre-9)
  • Legacy SaaS integrations (often custom-built or vendor-provided in 2014-2017)
  • Internal apps still using WS2007HttpBinding

For each, document the migration path: upgrade the client to modern auth (OAuth 2.0), replace the app, or — if the app can’t be modernised — keep WS-Trust enabled but lock it down with IP restrictions on the WAP.

Step 5: Audit claim rules for hidden bypasses

ADFS relying-party trusts have claim transformation rules that issue, transform, or filter claims as tokens flow through. Over years, these accumulate, and unused or over-permissive rules are common findings in security audits.


# Dump every claim rule for review
Get-AdfsRelyingPartyTrust | ForEach-Object {
  Write-Host "===== $($_.Name) =====" -ForegroundColor Yellow
  Write-Host "Issuance:" -ForegroundColor Cyan
  Write-Host $_.IssuanceTransformRules
  Write-Host "Authorization:" -ForegroundColor Cyan
  Write-Host $_.IssuanceAuthorizationRules
  Write-Host "AdditionalAuth:" -ForegroundColor Cyan
  Write-Host $_.AdditionalAuthenticationRules
}

Red flags to look for in each relying party’s rules:

  • Rules that pass through tokenGroupsGlobalAndUniversal — discloses ALL groups, far more than the RP needs
  • Rules that issue a literal role claim with a hardcoded Administrator value
  • Rules using EXISTS([Type == "..."]) patterns that bypass MultiFactorAuthentication = true requirements
  • Relying parties that have not been touched in 24+ months — often shadow IT or shut-down apps

Tighten or remove. Document changes. Test each relying party in a UAT environment before pushing to production.

Step 6: Detection — the Event IDs you need in your SIEM

The full ADFS detection cheat sheet for SIEM ingestion. Forward these from the ADFS server’s Security log and AD FS/Admin log:

Event IDSourceMeaningDetection idea
1200AD FS/AdminToken issuance successVolume by user — sudden spike from a service account = Golden SAML candidate
1201AD FS/AdminToken issuance failureAuthentication failed
1202AD FS/AdminToken validation successSanity counter
1203AD FS/AdminToken validation failureReplay attempt or expired token
411AD FS/AdminToken request validation failureOften password-spray
412AD FS/AdminSign-in authentication failurePair with 411 — user behind the password is failing
510AD FS/AdminConfiguration database changeShould be rare; any 510 outside change windows = investigate
501AD FS/AdminFederation metadata changeWatch for unauthorised RP additions
4104PowerShell/OperationalPowerShell scriptblockLook for mimikatz, ADFSDump, Export-PfxCertificate, Get-AdfsCertificate content from non-admin sessions

Splunk rule example for Golden SAML detection (issuance volume anomaly):

index=adfs source="*/AD FS/Admin*" EventCode=1200
| bucket _time span=1h
| stats count by _time, src_user
| eventstats avg(count) as baseline_avg, stdev(count) as baseline_stdev by src_user
| where count > (baseline_avg + 3 * baseline_stdev)
| eval severity="high", reason="Anomalous ADFS token issuance volume"

Step 7: Defending against mimikatz / ADFSDump extraction

The Golden SAML kill chain has three phases. Disrupt any one and Golden SAML fails:

  1. Local SYSTEM on the ADFS server — required for both mimikatz and ADFSDump. Defended by ADFS Tier 0 isolation, LAPS, and modern endpoint hardening (Credential Guard, LSA Protection, ASR rules) per the Windows 11 enterprise hardening guide.
  2. DPAPI master key extraction — mimikatz reads the master key from lsadump::dpapi. Mitigations: Credential Guard (which protects LSA), HSM-backed signing cert (no DPAPI involvement), and proper service-account permissions (the cert is encrypted with the service account’s DPAPI master key — if the SA is gMSA, harder to extract).
  3. Signing key access in the ADFS config DB — even with the DPAPI master key, the attacker needs read access to the WID/SQL configuration database. The DB lives at C:\Windows\WID\Data\ (Windows Internal Database) or in SQL Server for ADFS farms. Restrict NTFS / SQL permissions to the ADFS service account only.

Detection complement: Any time lsass.exe is read by a non-SYSTEM process, OR mimikatz or ADFSDump keywords appear in PowerShell scriptblock logs from an ADFS server, that’s a high-fidelity alarm.

Migration path to Microsoft Entra ID

ADFS won’t last forever. Microsoft’s current default identity stack is Entra ID; new tenants don’t use ADFS at all. A typical decommission plan:

PhaseDurationActivity
Discovery2-4 weeksInventory every relying party trust. Classify: trivially-migratable (SAML/WS-Fed/OAuth) vs requires-app-change vs decommission-candidate.
Pilot migration4-6 weeksMove 2-3 low-risk relying parties to Entra ID. Validate sign-in, MFA, conditional access policies.
Bulk migration3-6 monthsMigrate relying parties in batches of 5-10. Each batch: backup ADFS config, configure on Entra side, repoint metadata, validate, sunset on ADFS.
Long-tail6-12 monthsThe remaining apps (legacy WS-Trust, custom SAML quirks) get individual treatment. Many decommission-candidates get retired.
ADFS sunsetAfter last RP migratedDecommission ADFS farm. Retain WAP/AD-FS audit logs in cold storage for compliance retention.

The Entra ID side has stronger MFA story, native conditional access, continuous access evaluation, and risk-based sign-in — all hard or impossible to build on ADFS. For most environments, the migration pays for itself in reduced operational burden alone.

Common mistakes (and how to avoid them)

MistakeWhy it happensFix
Never rotating the token-signing certificate“Set and forget”Annual rotation minimum; quarterly recommended; immediate after suspected compromise
Tier-1 admins logging on to ADFS serversConvenienceRestrict local logon via GPO; enforce ADFS-Admins-only
Extranet Lockout left disabledDefault off in older ADFSEnable in smart-enforce mode; review thresholds quarterly
WS-Trust 1.3 still proxied to internet“We might need it for X”Audit usage first; disable; only re-enable for documented exceptions with IP restrictions
Claim rules accumulating over yearsNo quarterly reviewQuarterly Get-AdfsRelyingPartyTrust dump + diff vs baseline
ADFS service account is a regular AD userLegacy install patternMigrate to gMSA
No SIEM ingestion of ADFS Event IDs“ADFS is just identity, not interesting”ADFS is the highest-value target — forward 1200/1201/1202/411/412 with priority
Token-signing key on disk (not HSM)Default installHSM for the signing cert; the operational lift pays back at the first incident
No baseline of token issuance volume per userAnomaly detection needs baseline30-day baseline by user; alert on >3σ deviation
ADFS server patched late“It’s working, don’t touch it”Patch within 14 days of release; treat ADFS like a DC for patch cadence
WAP and ADFS on same subnetNetwork design ignored Tier 0WAP in DMZ; ADFS in Tier 0 VLAN; firewall between
No Entra ID migration plan“We’ll do it next quarter”Document a 12-month plan with quarterly milestones

Frequently asked questions

What is ADFS in Active Directory?
Active Directory Federation Services (ADFS) is Microsoft’s on-premises identity federation server. It authenticates users against Active Directory and issues SAML 2.0, WS-Federation, or OAuth 2.0 tokens that downstream applications (Office 365, Salesforce, ServiceNow, custom SaaS) trust. It’s how on-prem AD identities sign in to cloud and SaaS apps without exposing AD credentials directly to those apps.
Is ADFS deprecated in 2026?
Microsoft has not formally deprecated ADFS but has clearly signalled Entra ID as the modern path — new Microsoft tenants don’t use ADFS at all, and feature development is concentrated in Entra. ADFS remains supported and patched, but if you’re starting fresh, choose Entra ID. If you have ADFS, plan a 6-12 month decommission.
What is the Golden SAML attack?
Golden SAML is when an attacker who has extracted the ADFS token-signing private key uses it to mint arbitrary SAML tokens for any user, including the most privileged. Once an attacker has the signing key, they no longer need to authenticate against AD — they generate tokens directly. The 2020 SolarWinds incident was the highest-profile real-world example. Defence: rotate the signing key, protect it with HSM if possible, harden the ADFS host to Tier 0 standards.
How do I detect a Golden SAML attack?
There’s no perfect signature for Golden SAML because the forged tokens are cryptographically valid. But three detection patterns help: (1) volume anomaly on Event 1200 — sudden spike in token issuance for an account that doesn’t normally request that many; (2) issuance from impossible source IPs — forged tokens sometimes don’t include accurate IPAddress claims; (3) token claims that don’t match AD state — a forged token claiming Domain Admin membership when AD doesn’t have that user in DA right now. Add all three as Splunk/Sentinel rules.
Does mimikatz work against ADFS?
Yes — specifically mimikatz’s lsadump::dpapi and vault::cred modules can extract the DPAPI master key used to encrypt the ADFS token-signing certificate. The certificate itself is then extracted from the ADFS configuration database. Dedicated tools like ADFSDump (Mandiant) and aadinternals automate the extraction. Mitigations: Credential Guard, LSA Protection (RunAsPPL), HSM for signing keys, and strict Tier 0 isolation of ADFS servers.
Should I disable WS-Trust 1.3 on my ADFS?
Yes, in most modern environments. WS-Trust 1.3 (and 2005) endpoints accept username/password directly and do not enforce MFA — they’re the password-spray surface ADFS exposes. Audit first: query your ADFS logs for any clients still authenticating via WS-Trust. Common holdouts are old ActiveSync clients and legacy SaaS connectors. Plan migrations for those, then disable.
How often should I rotate the ADFS token-signing certificate?
Annually at minimum; quarterly for security-conscious environments; immediately (with a second rotation 14 days later) after any suspected compromise. The rotation cycle is straightforward: generate the new cert, wait 7-14 days for relying parties to pick it up via federation metadata, promote the new cert to primary, then remove the old. Microsoft documents this in Update-AdfsCertificate.
What's the difference between ADFS and Entra ID (Azure AD)?
ADFS is on-premises federation — runs on your Windows servers, federates your on-prem AD to relying parties. Entra ID (formerly Azure AD) is cloud-native identity — Microsoft runs it, you configure it, sign-ins terminate at Entra. Entra has materially stronger MFA, conditional access, continuous evaluation, and risk-based sign-in features. If you’re starting in 2026, choose Entra. If you have ADFS, plan a migration.
Can I run ADFS and Entra ID at the same time?
Yes — hybrid federation with ADFS handling some relying parties and Entra ID handling others is supported and common during migrations. Configure each relying party independently. The typical migration arc: 100% ADFS → 80% ADFS / 20% Entra → 30% / 70% → 0% / 100% (ADFS decommissioned).
What Event IDs should I monitor on ADFS for security?
1200 (token issuance success — watch for volume anomalies per user), 1201 (issuance failure — paired with 411 for auth failures), 1202 (validation success), 1203 (validation failure — possible replay), 411 / 412 (request validation / sign-in failure — password spray indicators), 510 (configuration database change — should be rare and during change windows only), 501 (federation metadata change — watch for unauthorised RP additions), plus PowerShell Event 4104 for scriptblock logs (look for mimikatz, ADFSDump, certificate export commands). Forward all to your SIEM.

Conclusion: rotate the cert this sprint

The single highest-value action you can take this week: rotate the ADFS token-signing certificate. Even if you do nothing else from this guide, that one action invalidates any stolen signing key an attacker might already hold. The full rotation cycle (generate new → wait for relying parties to pick up metadata → promote to primary → remove old) takes 2-3 weeks calendar time but maybe 30 minutes of admin work.

Then layer in:

  1. Tier 0 lockdown of ADFS servers (restricted local logon, LAPS, gMSA)
  2. Extranet Lockout in smart-enforce mode
  3. WS-Trust 1.3 disable after auditing legacy client dependencies
  4. SIEM ingestion of Events 1200/1201/1202/411/412 from every ADFS server
  5. Quarterly claim-rule audit with documented changes

That’s a complete ADFS hardening posture inside a quarter. Pair with the Windows 11 enterprise hardening guide for the underlying OS controls (Credential Guard, LSA Protection, ASR rules) that make mimikatz extraction substantially harder, and the Windows LAPS implementation guide for the local-admin rotation that keeps the ADFS service account uncompromisable.

Eventual end-state: ADFS decommissioned in favour of Entra ID. Until then, treat ADFS as Tier 0.

Share this guide

LinkedIn:

ADFS is the single highest-value target in any federated identity stack — and most enterprises haven’t rotated their token-signing cert in years. The Golden SAML defence playbook: cert rotation, Tier 0 isolation, Extranet Lockout, WS-Trust 1.3 disable, and the Event IDs your SIEM must ingest. 👇

X / Twitter:

ADFS hardening priority list: (1) rotate the token-signing cert (2) Tier-0 lockdown the server (3) Extranet Lockout in enforce mode (4) disable WS-Trust 1.3 (5) ingest Events 1200/1201/411/412. Anything else after that is incremental. Full guide:

References