Home
%3CLINGO-SUB%20id%3D%22lingo-sub-965028%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965028%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20cool.%20We%20are%20on%20the%20edge%20of%20dooing%20a%20cutover%20migration%2C%20but%20now%20we%20can%20try%20it%20out%20in%20the%20production%20enviroment%20before%20the%20cutover%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EAlex%20Simons%20(AZURE)%26nbsp%3B%26nbsp%3B%20are%20there%20any%20concerns%20of%20enabling%20the%20staged%20rollout%20in%20a%20production%20tenant%3F%3CBR%20%2F%3E(It%20is%20a%20preview%20feature)%2C%20but%20if%20only%20it%20is%20the%20experience%20of%20an%20migrated%20user%20that%20%22may%20be%22%20impacted%20of%20the%20preview%20statement.%20then%20i%20have%20no%20concerns%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-966138%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-966138%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151618%22%20target%3D%22_blank%22%3E%40Micki%20Wulffeld%3C%2FA%3E%20-%20Yes%2C%20this%20is%20meant%20for%20production%20use%20and%20is%20only%20applied%20to%20the%20user%20who%20is%20enabled%20for%20staged%20rollout%20and%20not%20the%20entire%20federated%20domain.%20We%20had%20close%20to%20hundred%20customers%20who%20did%20this%20during%20private%20preview%20before%20they%20could%20cut%20over.%20You%20can%20reach%20out%20to%20me%20at%20jitheshr%40microsoft.com%20if%20you%20have%20any%20questions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-969517%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-969517%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20already%20have%20our%20O365%20auth%20switched%20to%20Passord%20Hash%2FSSO%2C%20however%20we%20still%20have%26nbsp%3B%20ton%20of%203rd%20party%20SAAS%20apps%20(ServiceNow%20for%20example)%20using%20ADFS%2C%20however%20they%20are%20setup%20to%20go%20to%20to%20the%20on-prem%20ADFS%20server%20directly%2C%20so%20in%20that%20cause%20I%20would%20not%20be%20able%20to%20use%20the%20Staged%20rollout%20since%20I%20have%20to%20work%20with%20the%20SAAS%20vendor%20to%20point%20to%20Azure%20AD%20instead%20of%20our%20ADFS%20server%3F%26nbsp%3B%20If%20so%20is%20there%20an%20easy%20way%20to%20migrate%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827830%22%20slang%3D%22en-US%22%3EStaged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827830%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%3CSPAN%3E%E2%80%99%3C%2FSPAN%3Em%20excited%20to%20announce%20%3CSPAN%3Ethat%20%3C%2FSPAN%3Ethe%20staged%20rollout%20to%20cloud%20authentication%20is%20now%20available%20in%20%3CSPAN%3Ep%3C%2FSPAN%3Eublic%20%3CSPAN%3Ep%3C%2FSPAN%3Ereview%3CSPAN%3E.%20%3C%2FSPAN%3E%3CSPAN%3EThis%20feature%3C%2FSPAN%3E%20allows%20you%20to%20migrate%20your%20users%E2%80%99%20authentication%20from%20federation%3CSPAN%3E%E2%80%94%3C%2FSPAN%3Evia%20AD%20FS%2C%20Ping%20Federate%2C%20Okta%2C%20or%20any%20other%20federation%20on-premises%20system%3CSPAN%3E%E2%80%94%3C%2FSPAN%3Eto%20cloud%20authentication%20in%20a%20staged%20and%20controlled%20manner.%20More%20than%20100%20customers%20have%20used%20this%20feature%20to%20successfully%20cutover%20to%20cloud%20authentication%20during%20our%20private%20preview.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMoving%20your%20Azure%20AD%20authentication%20from%20federation%20on-premises%20to%20the%20cloud%20allows%20you%20to%20manage%20user%20and%20device%20sign-in%20from%20your%20control%20plane%20in%20Azure%20AD.%20You%3CSPAN%3E%E2%80%99%3C%2FSPAN%3Ell%20benefit%20from%20reducing%20the%20dependency%20on%20on-premises%20infrastructure%2C%20which%20typically%20includes%20a%20farm%20of%20servers%20and%20proxies%20that%20need%20to%20be%20accessible%20from%20the%20%3CSPAN%3Ei%3C%2FSPAN%3Enternet.%20You%20won%E2%80%99t%20need%20to%20worry%20about%20patching%20of%20servers%2C%20availability%20and%20reliability%20of%20the%20authentication%20service%2C%20or%20managing%20ports%20on%20a%20firewall.%20In%20addition%2C%20you%20could%20also%20use%20staged%20rollout%20to%20move%20from%20a%20federated%20cloud%20identity%20provider%20to%20Azure%20AD%20authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20helps%20you%20to%20avoid%20a%20cutover%20of%20your%20entire%20domain%20and%20selectively%20testing%20on%20a%20group%20of%20users%20to%20use%20cloud%20authentication%20capabilities%20like%20Azure%20%3CSPAN%3EMu%3C%2FSPAN%3E%3CSPAN%3Elti-Factor%20Authentication%20(%3C%2FSPAN%3EMFA%3CSPAN%3E)%3C%2FSPAN%3E%2C%20Conditional%20Access%2C%20Identity%20Protection%20for%20leaked%20credentials%2C%20Identity%20Governance%2C%20and%20others.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%3ELearn%20more%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3ECheck%20out%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%20t%3CSPAN%3Eo%20learn%20more%20about%20this%20feature%20and%20its%20prerequisites.%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EWatch%20the%20video%20%3CSPAN%3Eto%3C%2FSPAN%3E%3CSPAN%3E%20see%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fvideoplayer%2Fembed%2FRE3inQJ%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewhat%20is%20staged%20rollout%20in%20Azure%20AD%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fvideoplayer%2Fembed%2FRE3inQJ%22%20width%3D%22995px%22%20height%3D%22600px%22%20name%3D%22embedVideo%22%20frameborder%3D%220%22%20scrolling%3D%22no%22%20allowfullscreen%3D%22allowfullscreen%22%20style%3D%22border%3A%200px%20%23ffffff%20none%3B%22%20marginheight%3D%220px%22%20marginwidth%3D%220px%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EW%3CSPAN%3Eatch%20this%20video%20%3C%2FSPAN%3Et%3CSPAN%3Eo%20learn%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.microsoft.com%252Fen-us%252Fvideoplayer%252Fembed%252FRE3jqL0%26amp%3Bdata%3D02%257C01%257Cjairoc%2540microsoft.com%257Ca375911c800347c40d9308d74d0ab3ba%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637062580690504762%26amp%3Bsdata%3DC%252FMhNnAlD44r%252F5WjBQ2l6VoBkRbVcMlc%252BYDWzSom2Cg%253D%26amp%3Breserved%3D0%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Eh%3C%2FSPAN%3Eow%20to%20configure%20staged%20rollout%20in%20Azure%20A%3C%2FA%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.microsoft.com%252Fen-us%252Fvideoplayer%252Fembed%252FRE3jqL0%26amp%3Bdata%3D02%257C01%257Cjairoc%2540microsoft.com%257Ca375911c800347c40d9308d74d0ab3ba%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637062580690504762%26amp%3Bsdata%3DC%252FMhNnAlD44r%252F5WjBQ2l6VoBkRbVcMlc%252BYDWzSom2Cg%253D%26amp%3Breserved%3D0%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ED%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%60%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fvideoplayer%2Fembed%2FRE3jqL0%22%20width%3D%22995px%22%20height%3D%22600px%22%20name%3D%22embedVideo%22%20frameborder%3D%220%22%20scrolling%3D%22no%22%20allowfullscreen%3D%22allowfullscreen%22%20style%3D%22border%3A%200px%20%23ffffff%20none%3B%22%20marginheight%3D%220px%22%20marginwidth%3D%220px%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EAlex%20Simons%20(%3C%2FSPAN%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%20)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-827830%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20319px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151879iE72F03F72918679D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Staged%20rollout%20to%20cloud%20authentication%20teaser.png%22%20title%3D%22Staged%20rollout%20to%20cloud%20authentication%20teaser.png%22%20%2F%3E%3C%2FSPAN%3EYour%20journey%20to%20cloud%20authentication%20is%20now%20even%20easier.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-827830%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-970597%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-970597%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20apply%20if%20we%20wanted%20to%20migrate%20just%20from%20on-prem%20MFA%20server%20to%20the%20Azure%20cloud%20MFA%3F%20Are%20there%20any%20other%20requirements%20%2F%20prerequisites%20for%20doing%20this%20so%20the%20user%20will%20NOT%20have%20to%20re-register%20for%20MFA%20(keep%20the%20same%20user%20settings%20as%20configured%20on%20the%20on-prem%20MFA%20server)%20%3F%20And%20the%20same%20question%20that%20Daniel%20Schmidt%20applies%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-973831%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-973831%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F14035%22%20target%3D%22_blank%22%3E%40Daniel%3C%2FA%3E%20-%20yes%20this%20is%20not%20used%20for%20ADFS%20federations%20of%20apps.%20The%20feature%20is%20to%20only%20help%20you%20with%20Cloud%20Authentication%20of%20your%20Office%20365%20RelyingParty.%20After%20using%20staged%20rollout%20for%20a%20group%20of%20users%2C%20it%20would%20easier%20for%20you%20to%20switch%20from%20Office%20365%20federation%20with%20ADFS%20to%20cloud%20authentication.%20For%20migrating%20your%20apps%20from%20ADFS%20to%20AzureAD%20-%20look%20at%20this%20space%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fmigrate-adfs-apps-to-azure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fmigrate-adfs-apps-to-azure%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-973860%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-973860%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B-%20If%20you%20are%20using%20Azure%20MFA%20sever%2C%20then%20moving%20the%20user%20to%20staged%20rollout%20will%20block%20the%20user%20as%20mentioned%20in%20our%20docs.%20You%20will%20need%20to%20move%20users%20off%20of%20MFA%20server%20to%20Azure%20MFA%20before%20using%20staged%20rollout%20for%20testing%20cloud%20authentication.%20This%20scenario%20is%20also%20something%20we%20highlight%20when%20considering%20cloud%20authentication.%20Any%20on-premises%20dependencies%20needs%20to%20be%20handled%20before%20considering%20cloud%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-977905%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977905%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20we%20activated%20it%2C%20we%20found%20that%20when%20typing%20%3CA%20href%3D%22https%3A%2F%2Fwebmail.ourdomain.dk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwebmail.ourdomain.dk%3C%2FA%3E%20Or%20just%20%3CA%20href%3D%22http%3A%2F%2Fmail.outdomain.dk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmail.outdomain.dk%3C%2FA%3E%20%2C%20that%20are%20CNAME%20to%20outlook.com%2C%20we%20end%20up%20with%20our%20adfs%20server%20as%20sign%20in%20method%2C%20for%20users%20that%20are%20stage%20migrated.%3C%2FP%3E%3CP%3ESo%20the%20domain%20conversion%20MS%20are%20doing%20is%20not%20redirecting%20to%20Cloud%20auth.%20(preview%20problem%20i%20guess)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThought%20it%20is%20working%20if%20you%20convert%20the%20whole%20domain%20(%20i%20tested%20in%20our%20test%20tenant)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-977931%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977931%22%20slang%3D%22en-US%22%3E%40Micki%20Domain_hints%20and%20HRD%20acceleration%20policies%20which%20are%20supplying%20domains%20hints%20are%20not%20supported%20with%20staged%20rollout.%20We%20documented%20it.%20Unsupported%20Scenarios%20These%20scenarios%20are%20not%20supported%20for%20staged%20rollout%3A%20Certain%20applications%20send%20the%20%22domain_hint%22%20query%20parameter%20to%20Azure%20AD%20during%20authentication.%20These%20flows%20will%20continue%20and%20users%20enabled%20for%20staged%20rollout%20will%20continue%20to%20use%20federation%20for%20authentication.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981715%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981715%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-982734%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-982734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53240%22%20target%3D%22_blank%22%3E%40Jithesh%20Raj%20(JR)%3C%2FA%3E-%20So%2C%20if%20we%20move%20the%20users%20from%20the%20on-prem%20MFA%20server%20to%20Azure%20MFA%2C%20that%20would%20mean%20that%20the%20users%20will%20need%20to%20re-register.%20That's%20exactly%20what%20we're%20trying%20to%20avoid%2C%20and%20would%20like%20to%20migrate%20the%20users%20to%20Azure%20MFA%20without%20having%20to%20re-register.%20Thought%20that%20Staged%20Rollout%20would%20help%20us%20achieve%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999095%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999095%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%20Cloud%20Authentication%20(PHS%2FPTA)%20does%20not%20support%20Azure%20MFA%20Server%20and%20this%20is%20something%20we%20have%20documented.%20Staged%20Rollout%20is%20about%20helping%20you%20migrate%20users%20from%20federated%20IDP%20to%20Cloud%20Authentication%20ant%20not%20MFA%20migration.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999559%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999559%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53240%22%20target%3D%22_blank%22%3E%40Jithesh%20Raj%20(JR)%3C%2FA%3E%26nbsp%3B%20-%20That%20is%20the%20main%20reason%20we%20want%20to%20migrate%20to%20Azure%20MFA%20(cloud)%2C%20to%20be%20able%20to%20switch%20to%20modern%20authentication%2C%20but%20the%20main%20problem%20is%20that%20we%20don't%20want%20to%20have%20to%20cut%20off%20the%20users%20from%20Azure%20MFA%20Server(on-prem)%20and%20re-register%20all%20users%20to%20Azure%20MFA.%20And%2C%20currently%20there%20is%20no%20migration%20path%20for%20migrating%20users%20from%20on-prem%20MFA%20to%20Azure%20MFA.%20Hopefully%20Microsoft%20will%20provide%20some%20guidance%20in%20this%20scenario%20or%20develop%20a%20tool%20which%20will%20help%20with%20this%20kind%20of%20migration.%20Thank%20you%20for%20your%20reply%2C%20much%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999787%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999787%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20awesome%20news.%20My%20Org%20is%20coming%20up%20quickly%20on%20cutting%20over%20to%20Cloud%20Authentication%2C%20so%20this%20preview%20is%20a%20huge%20win%20for%20us.%20I'll%20be%20completing%20the%20necessary%20setup%20this%20week%20and%20testing%20with%20some%20of%20our%20IT%20staff.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1001300%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001300%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20anyone%20are%20provisioning%20disabled%20user%20with%20%5BMust%20change%20pw%20nxt%20logon%5D%20AD%20Flag%2C%20and%20activating%20them%20later%2C%20you%20might%20run%20into%20PasswordHashSync%20problems.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FPowerShell-Basics-How-to-Force-a-Full-Password-Sync-in-AzureAD%2Fba-p%2F900063%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FPowerShell-Basics-How-to-Force-a-Full-Password-Sync-in-AzureAD%2Fba-p%2F900063%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

 

Im excited to announce that the staged rollout to cloud authentication is now available in public preview. This feature allows you to migrate your users’ authentication from federationvia AD FS, Ping Federate, Okta, or any other federation on-premises systemto cloud authentication in a staged and controlled manner. More than 100 customers have used this feature to successfully cutover to cloud authentication during our private preview.

 

Moving your Azure AD authentication from federation on-premises to the cloud allows you to manage user and device sign-in from your control plane in Azure AD. Youll benefit from reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the internet. You won’t need to worry about patching of servers, availability and reliability of the authentication service, or managing ports on a firewall. In addition, you could also use staged rollout to move from a federated cloud identity provider to Azure AD authentication.

 

This helps you to avoid a cutover of your entire domain and selectively testing on a group of users to use cloud authentication capabilities like Azure Multi-Factor Authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others.

 

Learn more

 

`

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division 

14 Comments
New Contributor

Very cool. We are on the edge of dooing a cutover migration, but now we can try it out in the production enviroment before the cutover :)

Alex Simons (AZURE)   are there any concerns of enabling the staged rollout in a production tenant?
(It is a preview feature), but if only it is the experience of an migrated user that "may be" impacted of the preview statement. then i have no concerns? 

@Micki Wulffeld - Yes, this is meant for production use and is only applied to the user who is enabled for staged rollout and not the entire federated domain. We had close to hundred customers who did this during private preview before they could cut over. You can reach out to me at jitheshr@microsoft.com if you have any questions.

Contributor

We already have our O365 auth switched to Passord Hash/SSO, however we still have  ton of 3rd party SAAS apps (ServiceNow for example) using ADFS, however they are setup to go to to the on-prem ADFS server directly, so in that cause I would not be able to use the Staged rollout since I have to work with the SAAS vendor to point to Azure AD instead of our ADFS server?  If so is there an easy way to migrate that?

New Contributor

Does this apply if we wanted to migrate just from on-prem MFA server to the Azure cloud MFA? Are there any other requirements / prerequisites for doing this so the user will NOT have to re-register for MFA (keep the same user settings as configured on the on-prem MFA server) ? And the same question that Daniel Schmidt applies as well.

@Daniel - yes this is not used for ADFS federations of apps. The feature is to only help you with Cloud Authentication of your Office 365 RelyingParty. After using staged rollout for a group of users, it would easier for you to switch from Office 365 federation with ADFS to cloud authentication. For migrating your apps from ADFS to AzureAD - look at this space

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure

@Cristian Calinescu   - If you are using Azure MFA sever, then moving the user to staged rollout will block the user as mentioned in our docs. You will need to move users off of MFA server to Azure MFA before using staged rollout for testing cloud authentication. This scenario is also something we highlight when considering cloud authentication. Any on-premises dependencies needs to be handled before considering cloud authentication.

New Contributor

 

Now we activated it, we found that when typing https://webmail.ourdomain.dk Or just http://mail.outdomain.dk , that are CNAME to outlook.com, we end up with our adfs server as sign in method, for users that are stage migrated.

So the domain conversion MS are doing is not redirecting to Cloud auth. (preview problem i guess)

 

Thought it is working if you convert the whole domain ( i tested in our test tenant)

@Micki Domain_hints and HRD acceleration policies which are supplying domains hints are not supported with staged rollout. We documented it. Unsupported Scenarios These scenarios are not supported for staged rollout: Certain applications send the "domain_hint" query parameter to Azure AD during authentication. These flows will continue and users enabled for staged rollout will continue to use federation for authentication.
Occasional Contributor

  

New Contributor

@Jithesh Raj (JR)- So, if we move the users from the on-prem MFA server to Azure MFA, that would mean that the users will need to re-register. That's exactly what we're trying to avoid, and would like to migrate the users to Azure MFA without having to re-register. Thought that Staged Rollout would help us achieve this.

@Cristian Calinescu -  Cloud Authentication (PHS/PTA) does not support Azure MFA Server and this is something we have documented. Staged Rollout is about helping you migrate users from federated IDP to Cloud Authentication ant not MFA migration. 

 

 

New Contributor

@Jithesh Raj (JR)  - That is the main reason we want to migrate to Azure MFA (cloud), to be able to switch to modern authentication, but the main problem is that we don't want to have to cut off the users from Azure MFA Server(on-prem) and re-register all users to Azure MFA. And, currently there is no migration path for migrating users from on-prem MFA to Azure MFA. Hopefully Microsoft will provide some guidance in this scenario or develop a tool which will help with this kind of migration. Thank you for your reply, much appreciated!

Frequent Visitor

This is awesome news. My Org is coming up quickly on cutting over to Cloud Authentication, so this preview is a huge win for us. I'll be completing the necessary setup this week and testing with some of our IT staff.

New Contributor

If anyone are provisioning disabled user with [Must change pw nxt logon] AD Flag, and activating them later, you might run into PasswordHashSync problems.
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/PowerShell-Basics-How-to-Force-a-Full-Passwor...