Understand the stages of migrating application authentication from AD FS to Microsoft Entra ID
Microsoft Entra ID offers a universal identity platform that provides your people, partners, and customers a single identity to access applications and collaborate from any platform and device. Microsoft Entra ID has a full suite of identity management capabilities. Standardizing your application authentication and authorization to Microsoft Entra ID provides these benefits.
Types of apps to migrate
Your applications may use modern or legacy protocols for authentication. When you plan your migration to Microsoft Entra ID, consider migrating the apps that use modern authentication protocols (such as SAML and OpenID Connect) first.
These apps can be reconfigured to authenticate with Microsoft Entra ID either via a built-in connector from the Azure App Gallery, or by registering the custom application in Microsoft Entra ID.
For more information, see:
- Using Microsoft Entra application proxy to publish on-premises apps for remote users.
- What is application management?
- AD FS application activity report to migrate applications to Microsoft Entra ID.
- Monitor AD FS using Microsoft Entra Connect Health.
The migration process
During the process of moving your app authentication to Microsoft Entra ID, test your apps and configuration. We recommend that you continue to use existing test environments for migration testing before you move to the production environment. If a test environment isn't currently available, you can set one up using Azure App Service or Azure Virtual Machines, depending on the architecture of the application.
You may choose to set up a separate test Microsoft Entra tenant on which to develop your app configurations.
Your migration process may look like this:
Stage 1 – Current state: The production app authenticates with AD FS
Stage 2 – (Optional) Point a test instance of the app to the test Microsoft Entra tenant
Update the configuration to point your test instance of the app to a test Microsoft Entra tenant, and make any required changes. The app can be tested with users in the test Microsoft Entra tenant. During the development process, you can use tools such as Fiddler to compare and verify requests and responses.
If it isn't feasible to set up a separate test tenant, skip this stage and point a test instance of the app to your production Microsoft Entra tenant as described in Stage 3 below.
Stage 3 – Point a test instance of the app to the production Microsoft Entra tenant
Update the configuration to point your test instance of the app to your production Microsoft Entra tenant. You can now test with users in your production tenant. If necessary, review the section of this article on transitioning users.
Stage 4 – Point the production app to the production Microsoft Entra tenant
Update the configuration of your production app to point to your production Microsoft Entra tenant.
Apps that authenticate with AD FS can use Active Directory groups for permissions. Use Microsoft Entra Connect Sync to sync identity data between your on-premises environment and Microsoft Entra ID before you begin migration. Verify those groups and membership before migration so that you can grant access to the same users when the application is migrated.
Line of business apps
Your line-of-business apps are those that your organization developed or those that are a standard packaged product.
Line-of-business apps that use OAuth 2.0, OpenID Connect, or WS-Federation can be integrated with Microsoft Entra ID as app registrations. Integrate custom apps that use SAML 2.0 or WS-Federation as non-gallery applications on the enterprise applications page in the Microsoft Entra admin center.