Forum Discussion

Rajtoor's avatar
Rajtoor
Copper Contributor
Aug 26, 2021

ADFS to Azure AD migration with staged rollout

We have currently ADFS setup for authentication to office.com and we want to migrate to Azure AD.

I have tested staged rollout for some users and it working for users in the group, and they are not getting anymore redirected to on-prem ADFS. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

 

But could not figure out how to fully migrate all users to Azure AD. Should I add all users to this staged rollout group?

What I understood was that it is just as temporary group until migration is complete?

Should there not be a process of creating an O365 app and configure SAML just like any other application, and then configure O365 to use Azure AD.

What about other applications using ADFS, do they also get effected by adding user to the migration group?

  • Rajtoor If you've tested migrating from ADFS to Azure AD using staged rollout and all seems to work fine, the last step is to convert the domains from federated to managed, as described here. This will basically remove the federation completely for anyone signing in through those domains.

     

    Office 365 does not need to be added as a SAML app, however, if there's other apps you want to provide SSO to using Azure AD, you will have to add those applications into Azure AD and setup SAML (or an other method).

  • pvanberlo's avatar
    pvanberlo
    Steel Contributor

    Rajtoor If you've tested migrating from ADFS to Azure AD using staged rollout and all seems to work fine, the last step is to convert the domains from federated to managed, as described here. This will basically remove the federation completely for anyone signing in through those domains.

     

    Office 365 does not need to be added as a SAML app, however, if there's other apps you want to provide SSO to using Azure AD, you will have to add those applications into Azure AD and setup SAML (or an other method).

    • Rajtoor's avatar
      Rajtoor
      Copper Contributor
      pvanberlo is there a way to do it per application, like just doing it for Office 365
      • pvanberlo's avatar
        pvanberlo
        Steel Contributor
        The problem you’ll face is that it’s the domain that forces federation or not. As long as you do not turn it into a managed domain, in your case it will keep trying to federate with ADFS (except for the users part of staged roll-out). So no. You can’t do this per app unfortunately.

Resources