Remove Office 365 Federation from ADFS

berketjune2012 371 Reputation points
2022-03-02T20:41:04.167+00:00

Hello

I am currently trying to remove Office 365 authenication from our adfs server.

I came across this article:
https://social.technet.microsoft.com/wiki/contents/articles/34464.remove-office-365-federation-from-adfs-server.aspx

My question is by performing the above steps, will the users now authenticate directly with Office 365 instead of the ADFS server and is there any other config required?

Thanks

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,204 questions
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-03-03T14:42:43.04+00:00

    Yes but there is more to consider.

    First of all, you don't have to turn on/off the switch for everyone. You can use the Staged Rollout feature https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout. Quick explanation here but do read the link :) Normally what is telling the Azure AD if the user are authenticated in the cloud or on a federation server like AD FS is the domain name (the right part of the email/UPN). If you are bob@Company portal .com and that in Azure AD, contoso.com is marked as a managed domain, then we redirect you to the Azure AD login experience. If you are alice@fabrikam.com and fabrikam.com is a federated domain in Azure AD we redirect you to the federation service you have configured. This is called the Home Realm Discovery process. This in a nutshell, we use your domain name do discover when you come from and where you should go. When you enable the Staged Rollout, we are going to use your full name for that process. So you could have bob@Company portal .com and charles@Company portal .com in the same domain, but have a different sign-in experience. If you have added bob into your stagged roll out group, then bob will be having the Azure AD sign-in experience even if contoso.com is federated. And charles@Company portal .com will continue to go to AD FS. So this feature is here for you to test if your transition is ready without affecting all your user base. In other words, start with that.

    Then, yes when you are confident you don't need AD FS anymore and you can configure your domain as managed. You can follow the instructions you found on that post, but quite frankly, you should use the Azure AD Connect Wizard. It has a section to change the authentication method for your users and will take care of the things without worring about the syntax etc...


1 additional answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-03-03T16:37:28.137+00:00

    Launch the Azure AD Connect wizard.

    Select Change user-sign.
    179821-image.png

    Pick the method you want (you should be set to Federation with AD FS) at the moment. For example PHS:

    179794-image.png

    Then Next and follow the steps.

    0 comments No comments