Azure AD Hybrid Join when migrating from ADFS to managed

Question

Situation:

• Azure AD Tenant with fedration using ADFS Server
• Device objects are synced bv AAD connect
• Hybrid joined devices
• SCP is deleted from AD and Controlled Validation is used
• Azure AD tenant: companyx.onmicrosoft.com
• multiple domains in the Azure AD tenant
• Federated domains: companyx.com, funyname.com
• Managed domain: newname.com

Planned Change:

• we migrate both federated domains (companyx.com, funyname.com) to managed domains with password hash sync
• The relying party for AAD/Office365 will be disabled on ADFS Questions
• Do we need to change something for the AAD device registration when executing the migration?
• What exactly is done by the AAD Connect tool when in the screen shown below the "Authentication Service" is selected? We know the SCP is written to the AD and the ADFS claim rules are updated. But what is done if selecting "Azure Active Directory"?

• The SCP information only contains the "Tenant ID" and the "Tenant Name". How does the client know if ADFS must be used to register in AAD or not?

I read a lot about AAD Hybrid join and the differences in the process when using ADFS or only AAD Connect sync are clear. But how does the client to use ADFS, from where is this information coming? And what does it mean for the migration.

Thank you very much in advance.

Answer 1

Hello anonymous user,

Please find my inline answers below. I hope this was helpful.

• Do we need to change something for the AAD device registration when executing the migration?
  [Ans] No, since your Azure AD connect has synced the computer objects and devices are already configured with client-side registry setting for SCP through Controlled Validation, no additional changes are required for Windows 10 or later OS, but for Windows down-level domain-joined device (such as Win 7, 8.1 server 2008 R2 / 2012 /2012 R2) you must setup Seamless SSO for hybrid Azure AD. To learn more about, go to: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains#enable-windows-down-level-devices
• What exactly is done by the AAD Connect tool when in the screen shown below the "Authentication Service" is selected? We know the SCP is written to the AD and the ADFS claim rules are updated. But what is done if selecting "Azure Active Directory"? [Ans] When you select "Authentication Service=Azure Active Directory," the wizard creates new service connection points (SCPs) with your primary *.onmicrosoft.com domain name and Tenant ID, as shown below; however, you can skip this SCP configuration by unchecking the forest because you are already using controlled Validation from the client side. As a result, with the Managed environment, you may choose between a custom domain name (companyx.com or funyname.com) or a *.onmicrosoft.com domain. Therefore, authentication Service's selection can be any of available domain names in your Azure AD (either custom or primary) for Managed environment but for federation environment, it must be one of federated custom domain name, because client always uses domain name to discover type of authentication need to used for device authentication.

• The SCP information only contains the "Tenant ID" and the "Tenant Name". How does the client know if ADFS must be used to register in AAD or not?
  [Ans] As previously stated, devices always use the "Tenant Name" that is configured in SCP to discover whether that name is federated or managed with the help of Azure AD. If the domain is federated, Azure AD shares the ADFS endpoint with the client to authenticate, but if the domain is managed, Azure AD checks to see if that particular device has already synchronized before performing device authentication.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

@sikumars-msft Thank you very much! That's very helpful. As my two MS profiles are merged I can't mark it as accepted answer.