Skip to main content

AD FS new features in Windows Server 2016 TP4

Author by Bill Hughes

With Windows Server 2016 Microsoft is making some significant enhancements to AD FS and the WAP. Before we get into the new features I strongly suggest you go and download the TP4 Evaluation version at

With that let’s start looking at some of the new features we have to look forward to when Microsoft releases Server 2016 next year.

Up first they are introducing the ability for us to no longer have users entering their passwords from the extranet to help prevent credential phishing. This is being accomplished through a series of new features in AD FS starting with making Azure Multi-Factor Authentication (MFA) a first class citizen capable of being a primary authentication form. If you haven’t looked at Azure MFA yet you definitely should go check it out: With the new Azure MFA integration users will be able to authenticate using only their username and a one-time passcode issued to them through the Azure Authenticator app on their mobile device.

The second solution they are providing to enable your users not to enter their password from outside the network is authentication using device credentials for registered and compliant devices. This is being accomplished through the deep integration Microsoft has built between Active Directory, Azure Active Directory, and Intune. Not only will this functionality enable us to allow seamless single sign on for registered and compliant devices but we will also be able to block or restrict access to applications based on their device’s state and using Conditional Access policies such as:

  • Provide access only if the device is managed and compliant
  • Provide access outside of the corporate network only if the device is compliant
  • If the device is not compliant require multi-factor authentication

The third and final solution that is coming with AD FS is the ability for users to authenticate using Windows Hello and Microsoft Passport for Work. This capability requires Windows 10 but will enable your users to authenticate to AD FS protected applications such as Office 365 using facial recognition or other biometric gestures such as fingerprint.

For all of these new features we of course are missing the critical component for discussion, Management. With AD FS in 2016 TP4 Microsoft is bringing an easier management interface for us to utilize. We will be able to configure Access Control Policies, a new easier to use form of Issuance Authorization Rules.

With Access Control Policies we will be able to create Authorization Policies via a GUI with things such as user is a member of group X, or device is compliant or require MFA. With these templates we can save and reuse across multiple relying parties rather than having to configure each relying parties’ authorization rule.

This just touches on the beginnings of the new things coming with AD FS in Server 2016. Look forward to more information on other features. 


Bill Hughes

Senior Systems Engineer