Confidently modernize to cloud authentication with Azure AD staged rollout, now generally available

Published Apr 05 2021 01:00 PM 18.6K Views

Howdy folks,

 

I’m excited to announce that staged rollout to cloud authentication is now generally available! This feature allows you to selectively test groups of users with cloud authentication methods, such as pass-through authentication (PTA) or password hash sync (PHS), while all other users in the federated domains continue to use federation services, such as AD FS, Ping Federate, Okta, or any other federation services to authenticate users.

 

Moving your Azure AD authentication from federation services to the cloud allows you to manage user and device sign-in from a single control plane in Azure AD. Some of the benefits using cloud authentication include reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the internet. In addition, you can take advantage of security capabilities like: Azure AD multifactor authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and more.

 

New with the general availability, we’ve added the ability to monitor the users and groups added or removed from staged rollout and users sign-ins while in staged rollout, using the new Hybrid Auth workbooks in the Azure portal.  In addition, we’ve built a staged rollout interactive guide to help you learn more and deploy this feature.

 

 

 Hybrid Auth workbook.png

Hybrid Auth workbook

 

As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (@AzureAD).


Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

 

Learn more about Microsoft identity:

10 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1994709%22%20slang%3D%22en-US%22%3EConfidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1994709%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20announce%26nbsp%3Bthat%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Estaged%20rollout%3C%2FA%3E%20to%20cloud%20authentication%20is%20now%20generally%20available!%26nbsp%3BThis%20feature%26nbsp%3Ballows%20you%20to%20selectively%20test%20groups%20of%20users%20with%20cloud%20authentication%20methods%2C%20such%20as%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-pta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Epass-through%20authentication%3C%2FA%3E%20(PTA)%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fwhatis-phs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Epassword%20hash%20sync%3C%2FA%3E%20(PHS)%2C%20while%20all%20other%20users%20in%20the%20federated%20domains%20continue%20to%20use%20federation%20services%2C%20such%20as%20AD%20FS%2C%20Ping%20Federate%2C%20Okta%2C%20or%20any%20other%20federation%20services%20to%20authenticate%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMoving%20your%20Azure%20AD%20authentication%20from%20federation%20services%20to%20the%20cloud%20allows%20you%20to%20manage%20user%20and%20device%20sign-in%20from%20a%20single%20control%20plane%20in%20Azure%20AD.%20Some%20of%20the%20benefits%20using%20cloud%20authentication%20include%20reducing%20the%20dependency%20on%20on-premises%20infrastructure%2C%20which%20typically%20includes%20a%20farm%20of%20servers%20and%20proxies%20that%20need%20to%20be%20accessible%20from%20the%26nbsp%3Binternet.%20In%20addition%2C%20you%20can%20take%20advantage%20of%20security%20capabilities%20like%3A%20Azure%26nbsp%3BAD%20multifactor%20authentication%20(MFA)%2C%20Conditional%20Access%2C%20Identity%20Protection%20for%20leaked%20credentials%2C%20Identity%20Governance%2C%20and%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew%20with%20the%20general%20availability%2C%20we%E2%80%99ve%20added%20the%20ability%20to%20monitor%20the%20users%20and%20groups%20added%20or%20removed%20from%20staged%20rollout%20and%20users%20sign-ins%20while%20in%20staged%20rollout%2C%20using%20the%20new%20Hybrid%20Auth%20workbooks%20in%20the%20Azure%20portal.%26nbsp%3B%20In%20addition%2C%20we%E2%80%99ve%20built%20a%20%3CA%20href%3D%22https%3A%2F%2Fmslearn.cloudguides.com%2Fen-us%2Fguides%2FTest%2520migration%2520to%2520cloud%2520authentication%2520using%2520staged%2520rollout%2520in%2520Azure%2520AD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Estaged%20rollout%20interactive%20guide%3C%2FA%3E%20to%20help%20you%20learn%20more%20and%20deploy%20this%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20style%3D%22width%3A%20753px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269489iC542F6CBBD70C383%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EHybrid%20Auth%20workbook%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20your%20feedback%20or%20suggestions%20in%20the%20comments%20or%20on%20Twitter%20(%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Fazuread%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40AzureAD%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAlex%20Simons%20(%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Falex_a_simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EReturn%20to%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3E%3CEM%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EJoin%20the%20conversation%20on%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ETwitter%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20and%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ELinkedIn%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EShare%20product%20suggestions%20on%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3EAzure%20Feedback%20Forum%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1994709%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20staged%20rollout%20from%20federation%20to%20cloud%20authentication%20is%20now%20generally%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20style%3D%22width%3A%20753px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269490i7E86A792E8EE527B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1994709%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256766%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256766%22%20slang%3D%22en-US%22%3E%3CP%3EHey!!%3CBR%20%2F%3EMaybe%20its%20only%20me%2C%20but%20our%20Log%20Analytics%20for%20Signin%20does%20not%20store%20the%20Authenticationdetail%20of%20%22StagedMigration%22.%20I%20have%20old%20KQL%20queries%20where%20I%20do%20ask%20for%20the%20same%2C%20but%20I%20do%20not%20have%20that%20anymore%20(rendering%20my%20old%20KQLs%20useless%20as%20well).%3CBR%20%2F%3ENot%20sure%20if%20this%20has%20changed%20on%20the%20backside%2C%20or%20if%20its%20just%20something%20on%20my%20side%3F%3CBR%20%2F%3EThe%20only%20thing%20we%20do%20not%20send%20to%20Log%20Analytics%20is%20the%20NonInteractive%20signons.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%2C%20workbook%2C%20in%20this%20state%2C%20is%20to%20me%20useless%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256812%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256812%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567786%22%20target%3D%22_blank%22%3E%40Daniel_Fors%3C%2FA%3E%26nbsp%3B%20-%20If%20you%20are%20seeing%20the%20authentication%20detail%20in%20your%20sign-in%20logs%20and%20not%20in%20log%20analytics%2C%20please%20send%20a%20request%20to%20our%20support%20to%20investigate%20the%20data%20flow%20into%20Log%20Analytics.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2259419%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2259419%22%20slang%3D%22en-US%22%3E%3CP%3EHey!!%3CBR%20%2F%3EI%20am%20seeing%20all%20the%20details%20in%20Log%20Analytics%2C%20but%20the%20query%20in%20the%20workbook%20is%20looking%20for%20%22%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3EAuthMethod%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ehas%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22StagedRollout%22%3C%2FSPAN%3E%3CSPAN%3E)%22%20and%20I%20have%20all%20my%20users%20in%20Staged%20Migration%2C%20and%20I%20used%20to%20see%20this%20AuthMethod%2C%20but%20now%20I%20do%20not.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20do%20see%20%22Text%20Message%22%20or%20%22Password%22%20as%20AuthMethod%20(with%20the%20Auth%20Detail%20%3D%20%22Password%20Hash%20Sync%22%20for%20Password)%2C%20see%20below%20picture%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWould%20Password%20Hash%20Sync%20logon%20be%20considered%20%22Staged%20Migration%22%20authentication%2C%20since%20my%20old%20query%20asked%20for%26nbsp%3B%20AuthMethod%20%22PHS%2C%20StagedRollout%22%3F%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Daniel_Fors_0-1617815001459.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F270815iA52A87ABF99B33B4%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Daniel_Fors_0-1617815001459.png%22%20alt%3D%22Daniel_Fors_0-1617815001459.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2354675%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2354675%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20set%20this%20up%2C%20it%20works%20and%20almost%20all%20users%20are%20in%20the%20'staged%20group'.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20want%20to%20make%20the%20%22final%20switch%22%20but....%3CBR%20%2F%3E%3CBR%20%2F%3E-%20Documentation%20on%20how%20to%20do%20this%20and%20how%20to%20have%20a%20'fallback%20plan'%20is%20almost%20non-existent.%3C%2FP%3E%3CP%3E-%20We%20still%20see%20numerous%2C%20daily%2C%20successfull%20ADFS%20sign%20ins%20from%20almost%20ALL%20users%20in%20the%20Azure%20AD%20sign%20in%20logs%20(Filter%3A%20token%20issuer%20ADFS)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20issue%20causes%20us%20to%20believe%20some%20major%20disruption%20will%20occur%20when%20switching%20over.%20We%20have%20no%20idea%20what%20causes%20the%20ADFS%20sign%20ins.%20There%20are%20no%20non-microsoft%20apps%20using%20ADFS.%20They%20are%20not%20legacy%20authentication%20mobile%20apps.%20They%20are%20all%20forms%20authentication.%20I%20am%20clueless%20as%20how%20to%20retrace%20which%20app%20of%20website%20causes%20these%20logins%20or%20if%20it%20is%20normal%20because%20ADFS%20is%20still%20in%20place.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2382115%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2382115%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20we%20get%20some%20guidance%20around%20when%20to%20disable%20staged%20rollouts%20.%3C%2FP%3E%3CP%3E1-Enable%20PHS%20%2C%20Seamless%20Sign-on%26nbsp%3B%3C%2FP%3E%3CP%3E2-Migrate%20Apps%20to%20use%20Azure%20as%20IDP%26nbsp%3B%3C%2FP%3E%3CP%3E3-Migrate%20Users%20to%20use%20Azure%20MFA%26nbsp%3B%3C%2FP%3E%3CP%3E4-Enable%20Staged%20Rollout%20%2C%20add%20users%20in%20batches%26nbsp%3B%3C%2FP%3E%3CP%3E5-%20Remove%20federation%20from%20all%20domains%26nbsp%3B%3C%2FP%3E%3CP%3E6-Disable%20Staged%20rollout%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20sound%20like%20a%20right%20approach%20%3F%20or%20do%20i%20need%20to%20disable%20staged%20rollout%20before%20i%20remove%20federation%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2382607%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2382607%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185480%22%20target%3D%22_blank%22%3E%40sarthak%3C%2FA%3E%26nbsp%3B-%20Those%20steps%20are%20perfect.%20You%20can%20remove%20Staged%20Rollout%20after%20cutover%20and%20there%20is%20no%20need%20to%20do%20so%20before%20removing%20federation.%20We%20are%20working%20on%20a%20revised%20deployment%20plan%20for%20migration%20from%20Federation%20to%20Cloud%20Authentication%20which%20will%20be%20published%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2401243%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2401243%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20also%20the%20topic%20that%20the%20workbook%20%22Groups%2C%20Users%20and%20Sign-ins%20in%20Staged%20Rollout%22%20doesn't%20work.%20Only%20the%20chart%20for%20%22%3CSPAN%3EUsers%20added%20to%20Staged%20Rollout%22%20and%20%22List%20of%20users%20added%2Fremoved%20from%20Staged%20rollout%20results%22%20bring%20results%20but%20no%20information%20for%20successful%20or%20failed%20sign-ins%20are%20available.%20Users%20are%20already%20added%20since%20weeks%20to%20the%20staged%20rollout%20feature.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20and%20when%20could%20this%20be%20fixed%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2429121%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2429121%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F937754%22%20target%3D%22_blank%22%3E%40JR%3C%2FA%3E%26nbsp%3BI%20have%20few%20more%20questions%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1-%20If%20i%20use%20Sign-in%20Frequency%20should%20KMSI%20be%20turned%20off%20and%20would%20that%20cause%20issues%20with%20Sharepoint%20%3F%3C%2FP%3E%3CP%3E2-%20PowerApps%20%26amp%3B%20Flow%20have%20known%20issues%20with%20conditional%20Access%20policy%20%2C%20other%20than%20adding%20it%20to%20exclude%20list%20what%20can%20we%20do%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595975%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595975%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20update%20on%20the%20revised%20documentation%3F%20We%20still%20need%20to%20make%20the%20final%20cutover.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20still%20seeing%20numeous%20ADFS%20authentications%20despite%20of%20all%20users%20being%20in%20the%20staged%20migration.%20We%20cannot%20explain%20this%20and%20we%20are%20unable%20to%20figure%20this%20out%20ourselves.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThey%20are%20from%20unknown%20client%20apps%20and%20when%20an%20user%20agent%20is%20shown%20it%20is%20always%20an%20adroid%20or%20apple%20mobile%20device.%20When%20we%20filter%20legacy%20authentication%20clients%20they%20are%20not%20authenticated%20by%20ADFS.%3CBR%20%2F%3E%3CBR%20%2F%3EPuzzling%20and%20keeping%20us%20from%20doing%20the%20final%20cutover.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2596014%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596014%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20the%20documentation%20about%20this%20subject%20should%20include%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhow-to-migrate-mfa-server-to-azure-mfa-user-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhow-to-migrate-mfa-server-to-azure-mfa-user-authentication%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20more%20specific%20the%20step%20I%20highlighted%20here%2C%20as%20it%20is%20totally%20absent%20at%20he%20moment%20and%20IMHO%20causes%20MFA%20to%20be%20handled%20by%20ADFS%20even%20if%20the%20staged%20rollout%20is%20done%20for%20all%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22UiniMatrix_0-1627637428470.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299521iD9AB548C323D182E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22UiniMatrix_0-1627637428470.png%22%20alt%3D%22UiniMatrix_0-1627637428470.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIf%20I%20am%20interpreting%20all%20this%20correctly%20it%20means%20that%20when%20ou%20have%20MFA%20in%20place%20and%20do%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%3C%2FA%3E%26nbsp%3BADFS%20keeps%20doing%20your%20MFA%20and%20MFA%20breaks%20when%20you%20switch%20over%3F!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Apr 05 2021 09:06 AM
Updated by: