Federated to Managed Authentication

user20201 326 Reputation points

Hi All-

We are planning to migrate our authentication from Federated to Managed Auth. We plan to use the Password Hash Sync and we are following this guide.

Our current setup is, we have the abc.xyz.com domain and the Password Hash Sync is also enabled but the User Sign-in is on Federated.

We are wondering if the migration will impact our users/application that came from the domain abc.xyz.com since we are changing the domain to login.microsoftonline.com? Or the migration will impact our users in the Active Directory and Azure AD? Since our Azure AD Connect is enabled for syncing, do we still need to migrate the users from Active Directory to Azure AD?

Thank you!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,221 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,467 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,486 Reputation points

    Hi @user20201 • Thank you for reaching out.

    You need to take care of below considerations:

    • You must have abc.xyz.com added as a verified domain in your Azure AD tenant.
    • Users must be synced from on-premises AD to Azure AD with UPN like username@jaswant .xyz.com.
    • You must have Password Hash Sync enabled in AD Connect (as highlighted below) and make sure the passwords are syncing successfully by checking Application event logs on AD Connect server.
    • Run Set-MsolDomainAuthentication -Authentication Managed -DomainName <domain name> on ADFS Server to convert authentication from Federated to Managed.
    • If you are using a federation server other than ADFS, you will need to use Set-MsolDomainAuthentication cmdlet for this purpose.

    Expected behavior once the above steps are done: Users sign-in by using username@jaswant .xyz.com, they will no longer be redirected to on-premises federation server based on abc.xyz.com domain suffix in the UPN and authentication will directly take place via Azure AD tenant where username@jaswant .xyz.com is added as verified domain.

    Since our Azure AD Connect is enabled for syncing, do we still need to migrate the users from Active Directory to Azure AD?
    If users are already synced, there is no need to perform any sort of migration from Active Directory to Azure AD.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful