Share via

Enable staged rollout features Azure Active Directory

Les 31 Reputation points
2023-07-31T19:24:44.3333333+00:00

I know many people have been asking this question. How to move an on-premise user that is AD connect synced to AAD to be a cloud only user.

I came across this "Enable staged rollout features Azure Active Directory" and it appears that it will do the trick. I am testing now with Password Hash Sync.

From documentation:

Supported scenarios

The following scenarios are supported for Staged Rollout. The feature works only for:

    Users who are provisioned to Azure AD by using Azure AD Connect. It does not apply to cloud-only users.
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
677 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 16,696 Reputation points Microsoft Employee
    2023-08-01T10:11:22.5133333+00:00

    @Les

    You are talking about 2 different features here.

    Staged Rollout allows you to selectively test groups of users with cloud authentication capabilities like Azure AD Multi-Factor Authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains.

    Basically, staged rollout is a feature that is used to change the authentication authority. For example, if currently users are getting authenticated by on-preimses AD using any federated IDP's and now you want to change the authentication method Azure AD or you want to use pass-through authentication, then staged rollout is a feature that you can use to migrate the authentication in groups.

    And changing the user status to cloud only is a feature which is used when you want to decommission AD connect and allow Azure AD to take complete control for managing users.

    To change the user status to cloud only, you will have to follow below steps,

    • Run command "install-module MsOnline
    • Connect-Msolservice (Enter the global admin credentials once it prompts for credentials)
    • Now run the command "Set-MsolDirSyncEnabled -EnableDirSync $false"
    • This will change all users "on-premises sync enabled" property in portal to "No".

    This indicates all users are now cloud only.

    Let me know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments