Configuring Audit Policy and Enabling Auditing for ADFS Monitoring

Configure the following audit policy or advanced audit policy in the respective GPO.

1. Open Group Policy Management Console(GPMC).
2. Edit the respective GPO.(ADFS on DomainControllers,ADFS on Member Servers)
3. Configure required Advanced Audit Policies for 2k8 and above servers(recommended). This settings can be found under
1. Computer Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|System Audit Policies
1. Audit ADFS Logon: Select Object Access -> Application Generated(Success,Failure).
4. Configure required audit Polices for 2k3 and below servers
1. Computer Configuration|Windows Settings|Security Settings|Local Polices|Audit Policy
1. Audit ADFS Logon: Configure Object Access (Success).

Enabling auditing on the Federation Server.

1. Open AD FS management console.

2. Right click AD FS and choose "Edit Federation Service Properties".
3. Click on the Events tab.Enable "Success Audits" and "Failure Audits".

Configuring claims

For each of the Relying parties to be audited, add the following claims

1. Primary SID
2. UPN
3. Client IP
4. Inside Corporate Network
5. Proxy

Steps to Enable Extranet Lockout on the Federation Server

1. Set “EnableExtranetLockout” to true.
2. Set “ExtranetLockoutThreshold” to an integer value that determines the threshold at which the account needs to be locked out externally.
3. Set “ExtranetObservationWindow” to time which determines the interval for which the account should be soft-locked out.

Command to perform the above Settings

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold <Threshold_value> -ExtranetObservationWindow (New-Timespan -Minutes <time_in_minutes>)