SOLVED

Changing Azure AD Federation provider

%3CLINGO-SUB%20id%3D%22lingo-sub-1481794%22%20slang%3D%22en-US%22%3ERe%3A%20Changing%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1481794%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29544%22%20target%3D%22_blank%22%3E%40unnie%20ayilliath%3C%2FA%3E%26nbsp%3BTrying%20to%20get%20the%20situation%20here.%20So%20your%20Active%20Directory%20is%20not%20synced%20to%20AAD%20yet%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1463042%22%20slang%3D%22en-US%22%3EChanging%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1463042%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20have%20a%20M365%20tenant%20which%20is%20federated%20with%20Okta%20for%20Authentication.%3C%2FP%3E%3CP%3EAll%20user%20provisioning%20%26amp%3B%20authentication%20for%20M365%20is%20handled%20by%20Okta.%20Okta%20in%20turn%20is%20federated%20to%20our%20On-Prem%20Active%20Directory%20and%20we%20have%20agents%20similar%20to%20Azure%20AD%20connect%20for%20user%20sync%20%26amp%3B%20pass%20thru%20authentication.%3C%2FP%3E%3CP%3E%3CU%3E%3CSTRONG%3ECurrent%20user%20sync%20cycle%3A%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%3CP%3EOn-Prem%20AD%20-sync-%26gt%3B%20Okta%20-sync-%26gt%3B%20Azure%20AD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20all%20users%20provisioned%20in%20M365%20using%20this%20configuration%20and%20only%20MS%20Teams%20%26amp%3B%20SharePoint%20online%20is%20being%20used%20as%20of%20now.%20Exchange%20is%20not%20provisioned.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20now%20moving%20towards%20completely%20getting%20rid%20of%20Okta%20from%20the%20M365%20integration%20and%20are%20planning%20for%20configuring%20Azure%20AD%20connect%20to%20provision%20users%20and%20use%20pass%20thru%20auth%20for%20authentication.%26nbsp%3B%3C%2FP%3E%3CP%3ESince%2C%20we%20have%20some%20services%20already%20provisioned%20and%20users%20are%20actively%20using%20them%2C%20what%20are%20important%20things%20we%20need%20to%20consider%2Fplan%20for%20a%20smooth%20migration%20from%20Okta%20to%20a%20direct%20on-prem%20AD%20federation.%20An%20article%20which%20is%20%22almost%22%20similar%26nbsp%3B%20to%20my%20scenario%20is%20about%20migration%20from%20ADFS%20to%20pass%20thru%20authentication%20as%20mentioned%20in%20below%20article.%20I%20am%20hoping%20at%20a%20high%20level%20things%20will%20be%20similar%20in%20my%20scenario%20as%20well%20and%20I%20can%20also%20use%20the%20staged%20roll%20out%20feature%26nbsp%3B%20(Please%20correct%20me%20if%20am%20wrong%20here)%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-migrate-adfs-pass-through-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-migrate-adfs-pass-through-authentication%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20tips%20or%20reference%20articles%20will%20be%20highly%20appreciated%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1463042%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1481967%22%20slang%3D%22en-US%22%3ERe%3A%20Changing%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1481967%22%20slang%3D%22en-US%22%3EAD%20it%20is%20not%20synced%20directly%20to%20Azure%20AD%2C%20but%20synced%20first%20to%20Okta%20%26amp%3B%20Okta%20later%20syncs%20user%20to%20Azure%20AD.%20Okta%20is%20acting%20as%20an%20intermediatary%20service%20between%20Azure%20AD%20%26amp%3B%20AD%2C%20I%20want%20to%20remove%20it%20and%20set%20up%20Azure%20AD%20connect%20for%20user%20sync%20and%20Pass%20thru%20cloud%20authentication.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1482887%22%20slang%3D%22en-US%22%3ERe%3A%20Changing%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1482887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29544%22%20target%3D%22_blank%22%3E%40unnie%20ayilliath%3C%2FA%3E%26nbsp%3BThat%20is%20something%20I%20have%20not%20dealt%20with%20so%20far%2C%20but%20I%20assumne%20you%20can%20set%20up%20your%20own%20Azure%20AD%20connect%20server%20as%20%3CA%20href%3D%22https%3A%2F%2Fwww.starwindsoftware.com%2Fblog%2Fmigrate-azure-ad-connect-to-a-new-server%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Estaging%20server%3C%2FA%3E%20to%20take%20over%20the%20running%20server%20from%20Okta.%20You%20have%20to%20take%20care%20of%20the%20source%20ancor%2C%20and%20be%20sure%20your%20accounts%20will%20soft%20match%20with%20the%20UPN%20suffix.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44278%22%20target%3D%22_blank%22%3E%40Sander%20Berkouwer%3C%2FA%3E%26nbsp%3B%2Cmight%20have%20some%20tips%20for%20you%20on%20this%20topic.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1482939%22%20slang%3D%22en-US%22%3ERe%3A%20Changing%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1482939%22%20slang%3D%22en-US%22%3E%3CP%3EI%20feel%20there%20are%20two%20challenges%20to%20solve%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EMaking%20sure%20your%20colleagues%20synchronize%20correctly%20end-to-end.%3C%2FLI%3E%0A%3CLI%3ESwitching%20federation%20with%20Okta%20to%20Azure%20AD%20Connect%20PTA.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20current%20setup%20keeps%20user%20objects%20in%20Active%20Directory%20in%20sync%20with%20user%20objects%20in%20Azure%20AD.%20To%20make%20sure%20the%20same%20objects%20on%20both%20ends%20are%20matched%20end-to-end%2C%20I'd%20recommend%20hard%20matching%20by%20setting%20the%20source%20anchor%20attributes%20on%20both%20ends.%20There's%20more%20information%20on%20end-to-end%20matching%20%3CA%20href%3D%22https%3A%2F%2Fdirteam.com%2Fsander%2F2020%2F03%2F27%2Fexplained-user-hard-matching-and-soft-matching-in-azure-ad-connect%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20To%20avoid%20multiple%20synchronization%20engines%20writing%20to%20Azure%20AD%20and%20possible%20introducing%20last-write%20errors%2C%20I'd%20also%20recommend%20to%20use%20Staging%20Mode%20in%20Azure%20AD%20Connect%20when%20Okta%20still%20actively%20synchronizes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Azure%20AD's%20point%20of%20view%2C%20it%20doesn't%20matter%20which%20federation%20solution%20you%20use.%20Whether%20it's%20Okta%2C%20HelloID%20or%20PingFederate%2C%20you%20can%20use%20the%20staged%20roll-out%20feature%20with%20all%20of%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1482984%22%20slang%3D%22en-US%22%3ERe%3A%20Changing%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1482984%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F75602%22%20target%3D%22_blank%22%3E%40Sander%20Berkouwer%3C%2FA%3E%26nbsp%3BThanks%20Sander.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F29544%22%20target%3D%22_blank%22%3E%40unnie%20ayilliath%3C%2FA%3E%26nbsp%3Bis%20this%20someting%20you%20can%20work%20with%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1483053%22%20slang%3D%22en-US%22%3ERe%3A%20Changing%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483053%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F75602%22%20target%3D%22_blank%22%3E%40Sander%20Berkouwer%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470541%22%20target%3D%22_blank%22%3E%40JanBakker330%3C%2FA%3E%26nbsp%3B%20Thanks%20a%20lot%20both%20of%20you%20%2C%20for%20the%20tips%20%26amp%3B%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1489910%22%20slang%3D%22en-US%22%3ERe%3A%20Changing%20Azure%20AD%20Federation%20provider%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1489910%22%20slang%3D%22en-US%22%3E%3CP%3ERegarding%20the%20hard%20matching%2C%20when%20we%20set%20up%20Okta%20to%20Azure%20AD%20user%20provisioning%2C%20AD%20ObjectGuid%20attribute%20value%20is%20mapped%20to%20the%20ImmutableID%20in%20Azure%20AD.%20So%2C%20I%20am%20assuming%20this%20makes%20it%20easy%20for%20us%20to%20do%20the%20hard%20matching%20in%20Azure%20AD%20connect.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

We have a M365 tenant which is federated with Okta for Authentication.

All user provisioning & authentication for M365 is handled by Okta. Okta in turn is federated to our On-Prem Active Directory and we have agents similar to Azure AD connect for user sync & pass thru authentication.

Current user sync cycle:

On-Prem AD -sync-> Okta -sync-> Azure AD

 

We have all users provisioned in M365 using this configuration and only MS Teams & SharePoint online is being used as of now. Exchange is not provisioned.

 

We are now moving towards completely getting rid of Okta from the M365 integration and are planning for configuring Azure AD connect to provision users and use pass thru auth for authentication. 

Since, we have some services already provisioned and users are actively using them, what are important things we need to consider/plan for a smooth migration from Okta to a direct on-prem AD federation. An article which is "almost" similar  to my scenario is about migration from ADFS to pass thru authentication as mentioned in below article. I am hoping at a high level things will be similar in my scenario as well and I can also use the staged roll out feature  (Please correct me if am wrong here)

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authen... 

 

Any tips or reference articles will be highly appreciated 

7 Replies
Highlighted

@unnie ayilliath Trying to get the situation here. So your Active Directory is not synced to AAD yet?

 

Highlighted
AD it is not synced directly to Azure AD, but synced first to Okta & Okta later syncs user to Azure AD. Okta is acting as an intermediatary service between Azure AD & AD, I want to remove it and set up Azure AD connect for user sync and Pass thru cloud authentication.
Highlighted

@unnie ayilliath That is something I have not dealt with so far, but I assumne you can set up your own Azure AD connect server as staging server to take over the running server from Okta. You have to take care of the source ancor, and be sure your accounts will soft match with the UPN suffix.  

 

@Sander Berkouwer ,might have some tips for you on this topic. 

Highlighted
Solution

I feel there are two challenges to solve:

  1. Making sure your colleagues synchronize correctly end-to-end.
  2. Switching federation with Okta to Azure AD Connect PTA.

 

The current setup keeps user objects in Active Directory in sync with user objects in Azure AD. To make sure the same objects on both ends are matched end-to-end, I'd recommend hard matching by setting the source anchor attributes on both ends. There's more information on end-to-end matching here. To avoid multiple synchronization engines writing to Azure AD and possible introducing last-write errors, I'd also recommend to use Staging Mode in Azure AD Connect when Okta still actively synchronizes.

 

From Azure AD's point of view, it doesn't matter which federation solution you use. Whether it's Okta, HelloID or PingFederate, you can use the staged roll-out feature with all of them.

Highlighted

@Sander Berkouwer Thanks Sander.

 

@unnie ayilliath is this someting you can work with? 

Highlighted

@Sander Berkouwer @JanBakker330  Thanks a lot both of you , for the tips & help.

Highlighted

Regarding the hard matching, when we set up Okta to Azure AD user provisioning, AD ObjectGuid attribute value is mapped to the ImmutableID in Azure AD. So, I am assuming this makes it easy for us to do the hard matching in Azure AD connect.