Mar 31 2022 02:46 AM
Mar 31 2022 02:46 AM
We have a requirement, users in the environment is currently using the primary Authentication method as Password hash synchronization, which has to be changed to ADFS authentication.
In the current environment we have existing ADFS infrastructure in place, We wanted to have the federation between on premises active directory and Azure AD, then we want the users primary authentication method to be changed from Password hash synchronization to ADFS authentication.
In addition, there are multiple custom domains added as verified domains in Azure AD, which are currently set as with the domain type as "Managed"
Below is the plan we have Created to change the Authentication Mechanism
1. Convert all the domains type from Managed to federated using the commands
Convert-MsolDomainToFederated -DomainName abc.com -SupportMultipleDomain
Followed by the above command, We will execute the below commands for all other domains.
Convert-MsolDomainToFederated -DomainName xyz.com
Convert-MsolDomainToFederated -DomainName test.com
2. Then change the user sign in method present in Azure AD connect server from Password hash synchronization to Federation with ADFS
We would like to clarify the following queries
Is there a way to go with the staged approach, Say for example, change any single domain at a time from Managed to Federated, then change user sign in on the Azure AD connect server from Password hash synchronization to Federation ? If your answer is yes, the other managed domains would continue to use Password Hash synchronization as the primary authentication method ?
What would be the end user experience and Impact , when we convert the domain type from managed to federated and set the primary authentication method as ADFS ? Should users need to sign out and sign in back to office 365 services ?
What would be the default time taken configured by Microsoft to switch all the users authentication completely from PHS to ADFS authentication ?
Any other important considerations which is not captured and that has to be taken care for this activity ?
Appreciate your view and inputs on this query.
Apr 04 2022 02:53 AM
For Your first question, answer is yes. And because you are probably using -SupportMultipleDomain switch it does not change the other endpoints, which are still configured to point to the federation service.
So you could change one domain to managed and others will remain federated.
For your second question, it depends on the token life time. The authentication and authorization relies on the token after you have successfully logged in. When the token dies, the sessions dies and they have to re-authenticate but then they will do auth with out ADFS as the domain is managed.
To the third question I don't have an answer but transferring from ADFS to PHS could take up-to 3hrs but but I haven't seen this long delays but just to be on the safe side.
My suggestion is to use PTA instead of pure ADFS and eventually switch your users to cloud-based authentication if possible in the long run.
Hopefully this helps,