This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 31%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
We are planning to migrate from on-premise ADFS authentication to Azure Cloud Authentication and MFA on premise to Azure MFA .
Want to achieve :
We want to stop using on-premise ADFS and use Azure Cloud authentication, in order to do that I understand that I need to manually move my domain from federated to Managed?
Once I migrate my domain what changes do I need to do on the application end so they understand that it now needs to use Azure authentication and not ADFS?
And what is the best Roll-back?
Can someone please share with me your migration project and did you do it in stages or just cut over?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 68%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
From Azure Ad Connect enable Passwords hash authentication . This will sync user password and hash to Azure Active Directory and about domain will be good if you can create a new server and transfer FSMO roles to new Azure VM server.
This is not what I asked for help with!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Apologies for delayed response on this issue.
We want to stop using on-premise ADFS and use Azure Cloud authentication, in order to do that I understand that I need to manually move my domain from federated to Managed? -- Yes, you are right need to convert domain from federated to managed either use PHS or PTA.
Refer to the below articles, which helps in Migration from ADFS to Pass-Though Authentication or Password Hash Sync Deployment Plan
Deployment plan: Migrating from AD FS to password hash sync: https://aka.ms/ADFSTOPHSDPDownload
Deployment plan: Migrating from AD FS to pass-through authentication: https://aka.ms/ADFSTOPTADPDownload
Once I migrate my domain what changes do I need to do on the application end so they understand that it now needs to use Azure authentication and not ADFS?
To answer this question, we need to understand whether applications which are federated with ADFS support authentication protocols of Azure AD or not. You can leverage Azure AD Application proxy as well, reference: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy
Refer to this white paper Migrating your apps to Azure AD for more detailed information on application migration from ADFS to Azure AD - https://aka.ms/migrateapps/whitepaper
Resources for migrating applications to Azure Active Directory - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/migration-resources
Above white papers have the rollback options mentioned as well.
Please review this documentation, if you have any questions further let me know would be happy to answer it for you.