Forum Discussion
Phillip Toynton
Oct 03, 2018Copper Contributor
Can you Migrate from Microsoft Cloud Identity to ADFS
Hello, If you start a new full-cloud O365 tenant with Azure AD and Azure ADDS using just the Cloud Identity authentication model, can you later upgrade to using ADFS for authentication? https...
Phillip Toynton
Oct 03, 2018Copper Contributor
Hi Robert,
Thank you for the reply. We're actually planning on moving away from a hybrid environment and we're actively working on not having any on-prem AD servers in-house.
We've been in a hybrid environment for over 4 years and our business model has never needed and/or wanted to use the SSO capabilities with ADFS authentication model.
What I want to know is IF we go to full O365 cloud and use Azure to ONLY host a newly created DC (and a fault tolerance DC), and use Cloud Identity for authentication, can we later (6 months? a year? 5 years?) add ADFS, AD Sync and AD Connect? There is a strong desire to simplify our infrastructure.
Phil
Roberth Strand
Oct 03, 2018Brass Contributor
Any users created on-prem will be deleted in Azure AD if you stop the sync from AD.
You can set up your servers in Azure, but before removing anything on-prem you need to migrate the PDC to a DC in Azure and set up a new AAD Connect there.
You can set up your servers in Azure, but before removing anything on-prem you need to migrate the PDC to a DC in Azure and set up a new AAD Connect there.
- Phillip ToyntonOct 04, 2018Copper Contributor
Hi Robert,
Again - thank you so much for responding.
"Any users created on-prem will be deleted in Azure AD if you stop the sync from AD."
But what if I first import them into a O365 environment?
We're looking to create a new PDC in Azure (with another for fault tolerance). My understanding is that if we don't need SSO, we don't have to setup the AD sync / AD Connect or the ADFS farm. We can just use Cloud Identity to manage our users.
Is this not true?
Thank you,
Phil
- Roberth StrandOct 05, 2018Brass ContributorSorry, I might have misspoken. I never had to do this and last time I checked, most people said that it was impossible to break the AD Sync without deleting users but according to this article you can stop the AD Connect synchronization and then you would be able to manage users in Azure AD alone.
https://support.microsoft.com/en-us/help/2619062/you-can-t-manage-or-remove-objects-that-were-synchronized-through-the
Fair warning; I have never tried this method before so I'm not 100% sure about the outcome. According to how I read that article you should be able to connect to Azure AD and say that it shouldn't use sync from on-prem and thus be able to edit users previously synchronized.
Thank you for the question, I'm here to learn new things as well as help and this definitely helped me.