Project to Migrate ADFS and MFA to Azure

Price, Robert D 1 Reputation point
2022-04-12T02:07:20.123+00:00

We are planning to migrate from on-premise ADFS authentication to Azure Cloud Authentication and MFA on premise to Azure MFA .

  1. We have 2 ADFS Servers on premise and have password hash sync already enabled with SSO.
  2. We have Microsoft office 365, and a few other applications currently using on-premise ADFS authentication.
  3. We are already syncing user data to Azure AD tenant using Azure AD Connect.

Want to achieve :

We want to stop using on-premise ADFS and use Azure Cloud authentication, in order to do that I understand that I need to manually move my domain from federated to Managed?

Once I migrate my domain what changes do I need to do on the application end so they understand that it now needs to use Azure authentication and not ADFS?

And what is the best Roll-back?

Can someone please share with me your migration project and did you do it in stages or just cut over?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,553 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 30,676 Reputation points Microsoft Employee
    2022-04-18T12:12:10.75+00:00

    @Price, Robert D

    Apologies for delayed response on this issue.

    We want to stop using on-premise ADFS and use Azure Cloud authentication, in order to do that I understand that I need to manually move my domain from federated to Managed? -- Yes, you are right need to convert domain from federated to managed either use PHS or PTA.

    Refer to the below articles, which helps in Migration from ADFS to Pass-Though Authentication or Password Hash Sync Deployment Plan

    Deployment plan: Migrating from AD FS to password hash sync: https://aka.ms/ADFSTOPHSDPDownload

    Deployment plan: Migrating from AD FS to pass-through authentication: https://aka.ms/ADFSTOPTADPDownload

    Once I migrate my domain what changes do I need to do on the application end so they understand that it now needs to use Azure authentication and not ADFS?

    To answer this question, we need to understand whether applications which are federated with ADFS support authentication protocols of Azure AD or not. You can leverage Azure AD Application proxy as well, reference: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

    Refer to this white paper Migrating your apps to Azure AD for more detailed information on application migration from ADFS to Azure AD - https://aka.ms/migrateapps/whitepaper

    Resources for migrating applications to Azure Active Directory - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/migration-resources

    Above white papers have the rollback options mentioned as well.

    Please review this documentation, if you have any questions further let me know would be happy to answer it for you.

    0 comments No comments