Hello anonymous user,
Please find my inline answers below. I hope this was helpful.
- Do we need to change something for the AAD device registration when executing the migration?
[Ans] No, since your Azure AD connect has synced the computer objects and devices are already configured with client-side registry setting for SCP through Controlled Validation, no additional changes are required for Windows 10 or later OS, but for Windows down-level domain-joined device (such as Win 7, 8.1 server 2008 R2 / 2012 /2012 R2) you must setup Seamless SSO for hybrid Azure AD. To learn more about, go to: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains#enable-windows-down-level-devices - What exactly is done by the AAD Connect tool when in the screen shown below the "Authentication Service" is selected? We know the SCP is written to the AD and the ADFS claim rules are updated. But what is done if selecting "Azure Active Directory"? [Ans] When you select "Authentication Service=Azure Active Directory," the wizard creates new service connection points (SCPs) with your primary *.onmicrosoft.com domain name and Tenant ID, as shown below; however, you can skip this SCP configuration by unchecking the forest because you are already using controlled Validation from the client side. As a result, with the Managed environment, you may choose between a custom domain name (companyx.com or funyname.com) or a *.onmicrosoft.com domain. Therefore, authentication Service's selection can be any of available domain names in your Azure AD (either custom or primary) for Managed environment but for federation environment, it must be one of federated custom domain name, because client always uses domain name to discover type of authentication need to used for device authentication.
- The SCP information only contains the "Tenant ID" and the "Tenant Name". How does the client know if ADFS must be used to register in AAD or not?
[Ans] As previously stated, devices always use the "Tenant Name" that is configured in SCP to discover whether that name is federated or managed with the help of Azure AD. If the domain is federated, Azure AD shares the ADFS endpoint with the client to authenticate, but if the domain is managed, Azure AD checks to see if that particular device has already synchronized before performing device authentication.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.