Confidently modernize to cloud authentication with Azure AD staged rollout, now generally available

Published 04-05-2021 01:00 PM 13.1K Views

Howdy folks,

 

I’m excited to announce that staged rollout to cloud authentication is now generally available! This feature allows you to selectively test groups of users with cloud authentication methods, such as pass-through authentication (PTA) or password hash sync (PHS), while all other users in the federated domains continue to use federation services, such as AD FS, Ping Federate, Okta, or any other federation services to authenticate users.

 

Moving your Azure AD authentication from federation services to the cloud allows you to manage user and device sign-in from a single control plane in Azure AD. Some of the benefits using cloud authentication include reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the internet. In addition, you can take advantage of security capabilities like: Azure AD multifactor authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and more.

 

New with the general availability, we’ve added the ability to monitor the users and groups added or removed from staged rollout and users sign-ins while in staged rollout, using the new Hybrid Auth workbooks in the Azure portal.  In addition, we’ve built a staged rollout interactive guide to help you learn more and deploy this feature.

 

 

 Hybrid Auth workbook.png

Hybrid Auth workbook

 

As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (@AzureAD).


Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

 

 

Learn more about Microsoft identity:

4 Comments
Senior Member

Hey!!
Maybe its only me, but our Log Analytics for Signin does not store the Authenticationdetail of "StagedMigration". I have old KQL queries where I do ask for the same, but I do not have that anymore (rendering my old KQLs useless as well).
Not sure if this has changed on the backside, or if its just something on my side?
The only thing we do not send to Log Analytics is the NonInteractive signons.

So, workbook, in this state, is to me useless

@Daniel_Fors  - If you are seeing the authentication detail in your sign-in logs and not in log analytics, please send a request to our support to investigate the data flow into Log Analytics. 

Senior Member

Hey!!
I am seeing all the details in Log Analytics, but the query in the workbook is looking for "(AuthMethod has "StagedRollout")" and I have all my users in Staged Migration, and I used to see this AuthMethod, but now I do not. 

I do see "Text Message" or "Password" as AuthMethod (with the Auth Detail = "Password Hash Sync" for Password), see below picture

 

Would Password Hash Sync logon be considered "Staged Migration" authentication, since my old query asked for  AuthMethod "PHS, StagedRollout"??

 

Daniel_Fors_0-1617815001459.png

 

Occasional Visitor

We have set this up, it works and almost all users are in the 'staged group'.

We want to make the "final switch" but....

- Documentation on how to do this and how to have a 'fallback plan' is almost non-existent.

- We still see numerous, daily, successfull ADFS sign ins from almost ALL users in the Azure AD sign in logs (Filter: token issuer ADFS)

 

The last issue causes us to believe some major disruption will occur when switching over. We have no idea what causes the ADFS sign ins. There are no non-microsoft apps using ADFS. They are not legacy authentication mobile apps. They are all forms authentication. I am clueless as how to retrace which app of website causes these logins or if it is normal because ADFS is still in place.


%3CLINGO-SUB%20id%3D%22lingo-sub-1994709%22%20slang%3D%22en-US%22%3EConfidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1994709%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20announce%26nbsp%3Bthat%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Estaged%20rollout%3C%2FA%3E%20to%20cloud%20authentication%20is%20now%20generally%20available!%26nbsp%3BThis%20feature%26nbsp%3Ballows%20you%20to%20selectively%20test%20groups%20of%20users%20with%20cloud%20authentication%20methods%2C%20such%20as%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-pta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Epass-through%20authentication%3C%2FA%3E%20(PTA)%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fwhatis-phs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Epassword%20hash%20sync%3C%2FA%3E%20(PHS)%2C%20while%20all%20other%20users%20in%20the%20federated%20domains%20continue%20to%20use%20federation%20services%2C%20such%20as%20AD%20FS%2C%20Ping%20Federate%2C%20Okta%2C%20or%20any%20other%20federation%20services%20to%20authenticate%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMoving%20your%20Azure%20AD%20authentication%20from%20federation%20services%20to%20the%20cloud%20allows%20you%20to%20manage%20user%20and%20device%20sign-in%20from%20a%20single%20control%20plane%20in%20Azure%20AD.%20Some%20of%20the%20benefits%20using%20cloud%20authentication%20include%20reducing%20the%20dependency%20on%20on-premises%20infrastructure%2C%20which%20typically%20includes%20a%20farm%20of%20servers%20and%20proxies%20that%20need%20to%20be%20accessible%20from%20the%26nbsp%3Binternet.%20In%20addition%2C%20you%20can%20take%20advantage%20of%20security%20capabilities%20like%3A%20Azure%26nbsp%3BAD%20multifactor%20authentication%20(MFA)%2C%20Conditional%20Access%2C%20Identity%20Protection%20for%20leaked%20credentials%2C%20Identity%20Governance%2C%20and%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew%20with%20the%20general%20availability%2C%20we%E2%80%99ve%20added%20the%20ability%20to%20monitor%20the%20users%20and%20groups%20added%20or%20removed%20from%20staged%20rollout%20and%20users%20sign-ins%20while%20in%20staged%20rollout%2C%20using%20the%20new%20Hybrid%20Auth%20workbooks%20in%20the%20Azure%20portal.%26nbsp%3B%20In%20addition%2C%20we%E2%80%99ve%20built%20a%20%3CA%20href%3D%22https%3A%2F%2Fmslearn.cloudguides.com%2Fen-us%2Fguides%2FTest%2520migration%2520to%2520cloud%2520authentication%2520using%2520staged%2520rollout%2520in%2520Azure%2520AD%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Estaged%20rollout%20interactive%20guide%3C%2FA%3E%20to%20help%20you%20learn%20more%20and%20deploy%20this%20feature.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20style%3D%22width%3A%20753px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269489iC542F6CBBD70C383%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EHybrid%20Auth%20workbook%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAs%20always%2C%20we%E2%80%99d%20love%20to%20hear%20your%20feedback%20or%20suggestions%20in%20the%20comments%20or%20on%20Twitter%20(%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Fazuread%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40AzureAD%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAlex%20Simons%20(%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Falex_a_simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ELearn%20more%20about%20Microsoft%20identity%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EReturn%20to%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fbg-p%2FIdentity%22%20target%3D%22_blank%22%3E%3CEM%3EAzure%20Active%20Directory%20Identity%20blog%20home%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EJoin%20the%20conversation%20on%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fazuread%2Fstatus%2F1278418103903363074%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ETwitter%3C%2FEM%3E%3C%2FA%3E%3CEM%3E%20and%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3ELinkedIn%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EShare%20product%20suggestions%20on%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CEM%3EAzure%20Feedback%20Forum%3C%2FEM%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1994709%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20staged%20rollout%20from%20federation%20to%20cloud%20authentication%20is%20now%20generally%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20style%3D%22width%3A%20753px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269490i7E86A792E8EE527B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20alt%3D%22%26nbsp%3BHybrid%20Auth%20workbook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1994709%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256766%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256766%22%20slang%3D%22en-US%22%3E%3CP%3EHey!!%3CBR%20%2F%3EMaybe%20its%20only%20me%2C%20but%20our%20Log%20Analytics%20for%20Signin%20does%20not%20store%20the%20Authenticationdetail%20of%20%22StagedMigration%22.%20I%20have%20old%20KQL%20queries%20where%20I%20do%20ask%20for%20the%20same%2C%20but%20I%20do%20not%20have%20that%20anymore%20(rendering%20my%20old%20KQLs%20useless%20as%20well).%3CBR%20%2F%3ENot%20sure%20if%20this%20has%20changed%20on%20the%20backside%2C%20or%20if%20its%20just%20something%20on%20my%20side%3F%3CBR%20%2F%3EThe%20only%20thing%20we%20do%20not%20send%20to%20Log%20Analytics%20is%20the%20NonInteractive%20signons.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%2C%20workbook%2C%20in%20this%20state%2C%20is%20to%20me%20useless%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256812%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256812%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567786%22%20target%3D%22_blank%22%3E%40Daniel_Fors%3C%2FA%3E%26nbsp%3B%20-%20If%20you%20are%20seeing%20the%20authentication%20detail%20in%20your%20sign-in%20logs%20and%20not%20in%20log%20analytics%2C%20please%20send%20a%20request%20to%20our%20support%20to%20investigate%20the%20data%20flow%20into%20Log%20Analytics.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2259419%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2259419%22%20slang%3D%22en-US%22%3E%3CP%3EHey!!%3CBR%20%2F%3EI%20am%20seeing%20all%20the%20details%20in%20Log%20Analytics%2C%20but%20the%20query%20in%20the%20workbook%20is%20looking%20for%20%22%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3EAuthMethod%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ehas%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22StagedRollout%22%3C%2FSPAN%3E%3CSPAN%3E)%22%20and%20I%20have%20all%20my%20users%20in%20Staged%20Migration%2C%20and%20I%20used%20to%20see%20this%20AuthMethod%2C%20but%20now%20I%20do%20not.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20do%20see%20%22Text%20Message%22%20or%20%22Password%22%20as%20AuthMethod%20(with%20the%20Auth%20Detail%20%3D%20%22Password%20Hash%20Sync%22%20for%20Password)%2C%20see%20below%20picture%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWould%20Password%20Hash%20Sync%20logon%20be%20considered%20%22Staged%20Migration%22%20authentication%2C%20since%20my%20old%20query%20asked%20for%26nbsp%3B%20AuthMethod%20%22PHS%2C%20StagedRollout%22%3F%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Daniel_Fors_0-1617815001459.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F270815iA52A87ABF99B33B4%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Daniel_Fors_0-1617815001459.png%22%20alt%3D%22Daniel_Fors_0-1617815001459.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2354675%22%20slang%3D%22en-US%22%3ERe%3A%20Confidently%20modernize%20to%20cloud%20authentication%20with%20Azure%20AD%20staged%20rollout%2C%20now%20generally%20availa%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2354675%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20set%20this%20up%2C%20it%20works%20and%20almost%20all%20users%20are%20in%20the%20'staged%20group'.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20want%20to%20make%20the%20%22final%20switch%22%20but....%3CBR%20%2F%3E%3CBR%20%2F%3E-%20Documentation%20on%20how%20to%20do%20this%20and%20how%20to%20have%20a%20'fallback%20plan'%20is%20almost%20non-existent.%3C%2FP%3E%3CP%3E-%20We%20still%20see%20numerous%2C%20daily%2C%20successfull%20ADFS%20sign%20ins%20from%20almost%20ALL%20users%20in%20the%20Azure%20AD%20sign%20in%20logs%20(Filter%3A%20token%20issuer%20ADFS)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20issue%20causes%20us%20to%20believe%20some%20major%20disruption%20will%20occur%20when%20switching%20over.%20We%20have%20no%20idea%20what%20causes%20the%20ADFS%20sign%20ins.%20There%20are%20no%20non-microsoft%20apps%20using%20ADFS.%20They%20are%20not%20legacy%20authentication%20mobile%20apps.%20They%20are%20all%20forms%20authentication.%20I%20am%20clueless%20as%20how%20to%20retrace%20which%20app%20of%20website%20causes%20these%20logins%20or%20if%20it%20is%20normal%20because%20ADFS%20is%20still%20in%20place.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Apr 05 2021 09:06 AM
Updated by: