Forum Discussion
Questions on on-prem ADFS migration to Azure MFA
Get rid of on-premises ADFS-SSO? Not sure if you mean migrate from ADFS to PHS or PTA.
If you want to keep ADFS and use Azure MFA. Then you need to configure Azure MFA as an authentication provider for ADFS. You should check if other services are using ADFS, some applications don't support certain Azure MFA authentication methods, like no prompt for TOTP or no notification to check your Authenticator app for approval.
Michael Tang - Thank you very much Michael for your inputs.
Here, the context is customer would like to get rid of ADFS and only use Azure AD SSO with Azure MFA.
Please advise. Many thanks in advance.
In a nut shell.
Decide if you want to sync passwords or use pass-thru authentication for Azure AD Authentication. If your organization doesn't want to store password hashes in cloud use PTA.
If it's PHS, I would first start by enabling Password Hash Sync in Azure AD Connect Sync Optional Features.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tutorial-phs-backup
Once you verify you have Password Hash Sync working properly in the portal.
You can run Azure AD Connect again and change the sign-in options, to PHS and convert from federated to managed authentication.
Depending on the number of objects you sync, It could be quick or take a bit of time to convert.
I would take a look through this.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/
