Enabling SSO via AD/Entra Connect

Question

I want to enable SSO as I get ready defederate from ADFS and go direct to Entra for authentication. Is there any reason I can't just enable this change in AD Connect at any time? Is there any possibility of disrupting production? All of the apps have been migrated over to Entra. The idea is to prepare for the cutover from federated to managed but I want the first step to be enabling single sign on and perform the cutover at a later date.

Also, do I need to follow the directions found here in the quickstart guide? From what I understand we will be using PRT and none of the workstations are Windows 10.

Answer 1

@jpcapone

Thank you for posting this in Microsoft Q&A.

As I understand currently you have ADFS in your organization where Entra ID is federated with ADFS.

Now you want to move your authentication to Entra ID so that all the authentication requests are handled by Entra ID.

For Entra ID authentication you need to make sure that all the passwords are synced to Entra ID. You can perform this by enabling Password hash sync in Entra connect.

To perform this migration of authentication to Entra ID, you can make use of feature called as "Staged Rollout".

Staged Rollout allows you to selectively test groups of users with cloud authentication capabilities like Microsoft Entra multifactor authentication, Conditional Access, Microsoft Entra ID Protection for leaked credentials, Identity Governance, and others, before cutting over your domains. This article discusses how to make the switch.

With this feature you can rollout Entra ID authentication all users group by group.

You can follow steps in below article to perform this in your environment.

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-staged-rollout#enable-staged-rollout

You can go through above article and let us know if you have any other questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.