Skip to content

Federated vs Managed

Determine if a domain uses federated or managed authentication.

Managed (Entra = IdP, excluding PTA)

  • Primary auth in Entra; no redirect.
  • AD lockout counters do not increment.
  • Entra throttling/Smart Lockout applies.
  • Caution: moderate; go slow.

Managed + PTA

  • Entra is IdP; password check forwarded to on-prem DCs.
  • Can increment AD lockout counters.
  • Caution: treat like federated for lockout risk.

Federated (External IdP = IdP)

  • Redirect to AD FS/Okta/Ping/CyberArk.
  • Primary auth hits on-prem AD; AD lockout applies.
  • More sensitive to concurrency; federation edges can be stressed.
  • Caution: high; very low concurrency and tight coordination.

Rule of thumb Federated and Managed + PTA both count bad login attempts on the AD level. Managed without PTA counts failed logins only on the Entra level.

Identification

Determine if a domain is managed or federated.

Trevorspray

trevorspray --recon <domain>

getuserrealm.srf

curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=fake@example.com&json=1" | jq '{NameSpaceType, AuthURL}'

GetCredentialType

curl -s -H "Content-Type: application/json" -d '{"username":"fake@example.com"}' "https://login.microsoftonline.com/common/GetCredentialType" | jq '{Credentials}'