How to Migrate Claim Provider Trust From ADFS to Entra ID

Bishnu Baliyase 130 Reputation points
2024-08-09T13:12:04.3666667+00:00

We have two ADFS farms - one in DMZ for external users and another one in non-DMZ for internal users. There is a Claim provider trust and RP created on internal ADFS for external ADFS to easily switch between internal and external user /applications. Now business is planning to migrate all the applications from internal ADFS to Entra ID for authentication. External ADFS in DMZ will remain as is. Now how to migrate claim provider trust from internal ADFS (for DMZ ADFS) to Entra ID. So that the user experience will remain same.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,248 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,380 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 18,766 Reputation points Microsoft Employee
    2024-08-12T05:07:20.91+00:00

    @Bishnu Baliyase

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to migrate from ADFS to Entra ID for authentication.

    As per your explanation you already have an application (relying party) trust configured in your ADFS environment. And also, you have a claim provider trust created with your on-premises AD. Now you want to move everything to Azure for authentication.

    To move the claim provider trust you will need to configure application in Entra ID.

    Entra ID supports authentication protocols like SAML, Oauth and Open ID connect. So, first you need to make sure that the application supports any of the 3 authentication protocols which Entra ID uses.

    Once you configure application in Entra ID, claim provider will be Entra ID for applications.

    You can configure claims in Entra ID itself under application configuration. Once you configure this, claims will be provided by Entra ID and Entra ID becomes your claim provider.

    You can check below prerequisites which are required for migration,

    • You have a Microsoft Entra ID P1 or P2 license.
    • You should have one of the following roles assigned,
      • Cloud Application Administrator
      • Application Administrator
      • Global Reader (read-only access)
      • Report Reader (read-only access)
    • Microsoft Entra Connect should be installed on the on-premises environments, alongside Microsoft Entra Connect Health AD FS health agents.

    You can refer below article for more information on how and what are required for migration,

    https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-ad-fs-application-howto

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.