About when to be applied Conditional Access and when to be stopped applying ADFS claim rules

KD 61 Reputation points
2022-08-08T06:50:31.627+00:00

I would like to eliminate ADFS and manage authentication, authorization, SSO and access control in a single operation with AAD.
In considering the work steps, could you please answer the following questions?

■Assumptions
・On-Prep AD and Azure AD Object Sync with AADC
・Password hash synchronization configured
・ADFS exists and users are federated authenticated
・ADFS and each application with SSO configured
・ADFS claim rules enforce access control

■Work steps I'm thinking of

  1. Creating Conditional Access
  2. Changing Federated Authentication to Managed Authentication
  3. Removing claim rules on ADFS
  4. Migrating SSO settings for each app from ADFS to Azure AD

■My questions
(1)When is Conditional Access applied between the step 1 and 4?
(2)When does ADFS claim rules stop to be applied between the step 1 and 4?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,199 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,606 questions
0 comments
Accepted answer
  1. Andy David - MVP 142.3K Reputation points MVP
    2022-08-08T10:54:35.533+00:00
    1. As soon as the policies are enabled and they match to identities, apps or conditions in the policies - even if authenticating through ADFS
    2. Once you set the domains to managed auth.

    Be sure to read through:
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/migrate-from-federation-to-cloud-authentication

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest