Forum Discussion

Curious_Kevin16's avatar
Curious_Kevin16
Iron Contributor
Oct 09, 2024

Moving Microsoft 365 authentication to Entra ID Cloud Auth from On-Prem ADFS

Hi Identity Brain Trust, 

 

Assuming this would be the right place for my question as I couldn't find any other hub more relevant for this one. 

 

We have several applications configured to be authenticated via ADFS. We are looking to move these gradually to Entra ID Cloud auth and decommission ADFS, eventually. I would like to test out how Microsoft 365 can be moved to Cloud Auth from ADFS for a certain group of people. I have tried to use ADFS migration wizard in Entra but 365 app is not showing in the ADFS Application Migration section of Entra ID.

I've read this official guide but still couldn't find how this can be manually done when App Migration section won't have the app appearing there. - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-ad-fs-application-overview 

 

Appreciate any of your inputs on this one!

Kev

azure active directory
Getting Started
identity and access management
microsoft 365
microsoft entra

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Feb 06, 2026

    Microsoft 365 authentication via ADFS is controlled at the domain federation level, not at the enterprise application level. That’s why it doesn’t appear in the ADFS Application Migration section.

    The migration wizard is meant for individual enterprise applications federated through ADFS (claims-based apps). Microsoft 365 uses domain federation configuration, which is managed differently.

    So if your goal is:

    “Test moving a subset of users from ADFS authentication to Entra cloud authentication”

    Here’s how it actually works.

    First, understand the current model.

    If your domain is federated, authentication flow is:

    User → Entra ID → Redirect to ADFS → Token returned to Entra → Access granted

    To move to cloud authentication, you must change the domain authentication type from Federated to Managed.

    However, this is domain-wide — not per application.

    Key question:
    Do you want to test per-user migration while keeping the domain federated?

    If yes, the supported approach is:

    Use Staged Rollout.

    Staged Rollout allows you to enable:

    • Password Hash Sync (PHS) or Pass-Through Authentication (PTA)
    • Cloud authentication for selected users
    • While the domain remains federated for everyone else

    High-level steps:

    1. Enable Password Hash Sync (or PTA) in Entra Connect
    2. In Entra ID → Hybrid Identity → Staged Rollout
    3. Enable “Password hash sync” staged rollout
    4. Add a test security group
    5. Add pilot users

    Those users will authenticate directly in the cloud, bypassing ADFS.

    Important notes:

    • Their UPN must match Entra ID
    • Their passwords must be synchronized
    • Seamless SSO can be enabled if needed

    After testing is complete and you’re confident:

    You can convert the domain fully to Managed:

    Set-MsolDomainAuthentication -DomainName yourdomain.com -Authentication Managed

    (or via the Entra portal)

    Impact considerations:

    • Any application that relies specifically on ADFS claims rules must be migrated before decommissioning ADFS
    • Microsoft 365 does not require ADFS — cloud auth works natively
    • Conditional Access policies should be reviewed before migration
    • Smartcard / certificate auth scenarios need planning

    Why Microsoft 365 does not appear in ADFS Application Migration:

    Because it is not configured as an “Enterprise Application” behind ADFS — it uses domain federation metadata instead.

    Summary:

    You cannot migrate Microsoft 365 using the ADFS App Migration blade.
    You must use Staged Rollout for per-user testing.
    Full migration requires converting the domain authentication type.