Blog Post

Microsoft Entra Blog
1 MIN READ

Staged rollout to cloud authentication now in public preview

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Oct 30, 2019
Howdy folks,   I’m excited to announce that the staged rollout to cloud authentication is now available in public preview. This feature allows you to migrate your users’ authentication from feder...
Updated Jul 24, 2020
Version 8.0
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
Dolinhas's avatar
Dolinhas
Brass Contributor
Apr 22, 2020

Frank Rijt-van 

Thanks for coming back to me - really appreciate you help.

I am glad to hear that your deployment went well - my infra is less than 2K users and computers.

I have a question about the Computer Account and SPNs created during the Stage Rollout:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authentication

 Note

Domain Administrator account credentials are required to enable seamless SSO. The process completes the following actions, which require these elevated permissions. The Domain Administrator account credentials aren't stored in Azure AD Connect or in Azure AD. The Domain Administrator account credentials are used only to turn on the feature. The credentials are discarded when the process successfully finishes.

  1. A computer account named AZUREADSSOACC (which represents Azure AD) is created in your on-premises Active Directory instance.
  2. The computer account's Kerberos decryption key is securely shared with Azure AD.
  3. Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD sign-in.

 

If I decide to cancel the Stage Rollout will those accounts still be in my on-prem AD? If so can these be safely removed?

Also about your migration - did you switch off the Stage rollout slider or how does that part of the portal look after you gone to PTA or PHA?

Any problems you found during the trial or after the full migration?

Thanks, D