How to perform Decommission of federation with password hash sync after migrated to cloud authentication

louis cheung 20 Reputation points
2023-11-24T03:35:46.1666667+00:00

In office365 environment, we are going to migrate "federation with password hash sync" to "Cloud Authentication". After migrate to "Cloud Authentication", on premise AD will be removed, so we will perform Decommission of federation & password hash sync after confirming "cloud authentication" have no problem.

My question is, Since on premise AD will be remove, both Federation and active sync password hash will not be use anymore, is there any sequence on decommision of ADFS / active sync password hash? Or we simply perform decommision of ADFS, active sync password hash will be remove accordingly? (Since from my understanding, both ADFS & Active sync password hash is somehow impacting each other. Please correct me if my understanding is wrong.)

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,273 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,398 questions
{count} votes

Accepted answer
  1. Sandeep G-MSFT 19,921 Reputation points Microsoft Employee
    2023-11-24T04:37:58.5333333+00:00

    @louis cheung

    Thank you for posting this in Microsoft Q&A.

    As I understand you want the steps to move from ADFS to Cloud Authentication. Also, you have password hash sync configured in your environment.

    With PHS configured in your environment, user's password gets synced to Azure AD. Currently when you have ADFS configured in your environment, user Authentication is handled by on-premises ADFS servers.

    For testing before moving to cloud authentication, you can make use of "Staged rollout" feature in Azure AD to confirm if cloud authentication is working as expected.

    This method is used to have Zero impact in your environment while migration.

    Staged Rollout allows you to selectively test groups of users with cloud authentication capabilities like Microsoft Entra multifactor authentication, Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains.

    You can refer to below article to configure staged rollout in your environment,

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-staged-rollout

    Once you make sure that cloud authentication is working fine using staged rollout, you can un-federate the domain in ADFS environment. Once you un-federate the domain, Azure AD will stop redirecting the authentication requests to ADFS.

    Sync user passwords are already synced to Azure AD, Azure will handle the authentication and give access to requested resources.

    Now, post all testing and un-federating the domain, you can decommission ADFS servers.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.