I understand that Azure ACS acted as a STS that had the ability to redirect users to a given STS (OpenID, LiveID, Facebook) or authenticate using a local user/password account.

In a passive situation ACS would use redirects and either respond with a SAML token, and could be a User STS holding user accounts, or a resource STS protecting websites but leaving the user authentication for another host.

Now that ACS is being depreciated in favor of Azure Active Directory, I'd like to know what are the fundamental differences in how Azure AD works on the wire.


  • What are some sample request-response patterns that would be seen when using Azure Active Directory in an active or passive approach?

  • Since Azure allows for on-premise AD integration, how is home realm discovery accomplished with an arbitrary UPN

  • 50,090
  • 54
  • 250
  • 536

1 Answers1


HRD is done through two different mechanisms, which are used in either passive or active contexts. The passive method will determine the realm based on the username after they've lost focus of the username field. A lookup is done of the username and determines what tenant the username is tied to. If the tenant requires federated auth the site will redirect to the new IdP. The active method determines the realm based on the incoming username, and if federation is required a pointer is returned to use the IdP's endpoint.

Whether HRD is necessary is dependent on the authentication method tied to the domain of the user. HRD is required for domains whose AuthenticationMethod is marked as Federated.

The basic process works like this:

  1. Get suffix of UPN
  2. Look up suffix in domain list
  3. If domain present look at AuthenticationMethod
  4. If method == Managed, don't redirect
  5. If context == passive get PassiveLogOnUri
  6. If preferred protocol == WS-Fed redirect to PassiveLogOnUri and set wtrealm = urn:federation:MicrosoftOnline
  7. If preferred protocol == SAML redirect to PassiveLogOnUri with SAMLRequest
  8. If context == active get GetActiveLogOnUri and return to caller

You can look at these values by using the MSOL PowerShell cmdlets and calling Get-MsolDomainFederationSettings, Get-MsolDomain, etc. See here (disclosure - I wrote the post): http://www.syfuhs.net/post/2012/12/07/Windows-Azure-Active-Directory-Federation-In-Depth-(Part-2).aspx

I'm not sure what you mean by the request-response patterns though. In a scenario that requires HRD, it basically works like

RST-> IdP (AAD) -> RST-IP (ADFS) -> RSTR -> IdP (AAD) -> RSTR

  • 15,155
  • 3
  • 37
  • 66