How can I migrate from federation to cloud authentication?

Toru Nakanishi 40 Reputation points
2025-01-23T06:18:13.28+00:00

Now my environment is:

One domain XXXX.com in on-prem AD (with 2 OU)

Two tenants A.com and B.com in Entra ID

One ADFS

One Entra ID Connect

I use federation to sign-in Entra ID.

One OU members belong to A.com and the other to B.com

For I have just one on-prem domain , I employ alternative login ID and use e-mail address instead of UPN.

Then , I want to change the login way form federation to password hash sync or pass-through.

However , I heard that to migrate to cloud authentication , UPN on on-prem needs to match one on Entra ID.

I know changing UPN on-prem is good way, but I don't want to choose this way if there is another way.

How can I achieve my wants?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,193 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Venkata Jagadeep 165 Reputation points Microsoft Vendor
    2025-01-27T13:36:36.24+00:00

    Hello @Toru Nakanishi

    Thank you for posting your query on Microsoft Q&A.

    I understand that you have 2 OUs in your on-prem domain in which one OU users are having A.com email addresses and other with B.com email addresses. And in this one domain is federated with ADFS.

    If you migrate to cloud authentication for federated domain, those users will be able to authenticate through Azure (PTA or PHS). You can set user's email address as source anchor instead of UPN.

    A UPN must be unique among all security principal objects within a directory forest. Microsoft's recommended best practices are to match UPN

    If the userPrincipalName attribute is nonroutable and can't be verified, then you can select another attribute. You can, for example, select email as the attribute that holds the sign-in ID. When you use an attribute other than userPrincipalName, it's known as an alternate ID.

    The alternate ID attribute value must follow the RFC 822 standard. You can use an alternate ID with password hash sync, pass-through authentication, and federation. In Active Directory, the attribute can't be defined as multivalued, even if it has only a single value.

    I suggest you refer the below documentation

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-custom#microsoft-entra-sign-in-configuration

    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,

    Venkata Jagadeep.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.