Mitsui said goodbye to ADFS using Azure AD staged rollout

Published 12-17-2019 10:30 AM 21.8K Views



I love it when customers meet their business goals using newly available identity capabilities! This post in the ‘Voice of the Customer’ series is such a story. Mr. Ichinose, IT Manager Mitsui & Co and Mr. Saze, Project Manager, Mitsui Knowledge Industry, describe how Azure Active Directory (Azure AD) staged rollout simplified the transition from Active Directory Federation Services to Azure AD authentication. Mitsui & Co. is a company with offices and customers all over the globe. If you are curious about how a large company transitioned users from a legacy system to Azure AD with ZERO support calls, this post is for you.



Minimize user disruption with Azure AD staged rollout

By Mr. Ichinose, IT Manager, Mitsui & Co. and Mr. Saze, Project Manager, Mitsui Knowledge Industry



We believe that a successful transition to cloud-based services hinges on a well-designed identity strategy. The cloud can empower creativity and productivity. But only if authentication is secure and services are easy to access. In our roles as the IT Manager at Mitsui and Project Manager at Mitsui Knowledge Industry, we needed to migrate user authentication off Active Directory Federation Services to support our digital transformation goals. Azure AD staged rollout simplified the process for users and IT administrators.


Mitsui & Co., headquartered in Japan, is a global company that invests in businesses across several product lines in 66 countries and regions. Like many multinational companies founded in the 20th century, the company’s business processes are built on legacy systems and assets. Mitsui Knowledge Industries is a 100% subsidiary of Mitsui & Co that supports IT infrastructure, planning and implementation of digital transformation initiatives for its parent company. We selected Azure AD based cloud authentication for the following reasons:


Cloud authentication is more secure than federated authentication.

High availability and disaster recovery offered by Microsoft Azure

Cost reductions associated with eliminating Active Directory Federation Services servers and proxy servers.


A thoughtful migration plan resulted in zero support calls

Azure AD Staged rollout gave us the tools to implement a well-planned cutover. Once we set up modern authentication and Conditional Access, we created a test environment and split our users into groups. We tested our implementation of Azure AD with small groups. We evaluated how each step affected users and made changes as we went. This process simplified testing for our IT administrators.


When we rolled out the new authentication model to larger groups, our users also benefited from the early testing process. We did not invest in any education before we began this initiative, but because we took a slow deliberate approach, users were able to transition to Azure AD authentication easily. In fact, we received zero support calls.


Figure 1 shows Azure AD Staged Rollout enabled in Azure AD ConnectFigure 1 shows Azure AD Staged Rollout enabled in Azure AD Connect


Azure AD accelerated SaaS Integration

When we selected cloud authentication, we expected to reduce costs, improve high availability, and remove burdensome server management from our IT administrators. These goals were realized. One benefit that we didn’t anticipate: it is now much easier to integrate Software as a Service (SaaS) apps. Before the migration, we integrated four apps over six years. Since moving to Azure AD we’ve onboarded 20 apps in six months! A huge productivity gain.


Figure 2: Azure AD supports more than 2,800 pre-integrated software as a service (SaaS) applications.Figure 2: Azure AD supports more than 2,800 pre-integrated software as a service (SaaS) applications.



Next up: Shifting to a Zero Trust model

Our partners in the Microsoft Identity PM team were instrumental in helping us migrate from Active Directory Federation Services to Azure AD. We work with a lot of vendors, and the Microsoft Identity PM team is special. It is rare for a partner to be so involved from start to finish. Together we have enabled single sign-on, conditional access policies, and privileged identity management to better secure our identities.


Moving forward, we are collaborating with Microsoft to move towards passworldess and eventually a Zero Trust model. These initiatives include:

  • Password policy modernization
  • Self-service password reset
  • Passwordless implementation across the organization



Learn more

I hope the Mitsui & Co. story inspired you to investigate Azure AD staged rollout. If you are looking for other tips from our customers, take a look at the other stories in the ‘Voice of the Customer’ series.


Regular Visitor
What end-user licenses are required for this?
Occasional Visitor

Pretty sure they'll need azure premium 1  lic. Which is also a part of the EMS lic package.

It is not included in just office 365 E1 or E3. 

Senior Member

This is a great article. I want to know more detailed information. Is there a limit to the number of users that can be initially migrated with Azure AD staged rollout?

Frequent Visitor

The users would need either a Azure AD P1 OR P2 OR EMS+E3 OR EMS+E5 licences.

Frequent Visitor

You can migrate around 200 members initially by adding them to a group to avoid a UX timeout. See below article for detailed information

Occasional Visitor

Great article, Nice to know about Staged roll out through AADC.

New Contributor
Privileged Identity Management is a feature of AAD P2, if I'm not mistaken
Senior Member

After the initial 200 user upload, how many users can be added to the group in a single upload or is it unlimited? 

Senior Member

Is there a process to approve SaaS Integrations? As a business, we're concerned where our data can go, once it's outside of our environment. See the following from Krebs about phishing for access, bypassing passwords and MFA...

Regular Visitor

Is there a detailed information on this? I am interested to know how they completed the production cut-over from the staged rollout? 

Occasional Contributor

I would also be interested in the information how to finalize.

Do i just need to switch it on the ad connect server? Or disable the staged rollout first and then do the switch?

Frequent Visitor

When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required.

New Contributor

What is not clear from this is if PHS was deployed or PTA ? Would have been more useful if we knew what method was deployed?  I like the idea of PHS, however for large organizations 15,000 users i dont know how you get around some of the PHS limitations ?


  1. locked onprem account not respected in Azure
  2. change password at next logon is not respected in Azure

2.a) If we used Azure “SSPR” and turned on password writeback, then this setting would be respected in Azure AD . Sadly we do not use “SSPR”

  1. restricted logon hours not respected in Azure
  2. password is expired not respected in Azure
Occasional Contributor

Just FYI folks, we are using only the Microsoft 365 Business (standard and premium) accounts, and the staged rollout appears to be available for us.  That means we can do this with only the basic AAD license that the business account gives us.  I've not tested it yet, but all the functions appear to be there.  If this does work as expected, we plan to move a simple local AD set of users to AAD/cloud only authentication and eventually remove our local AD structure.

Regular Visitor

Just did the PTA switch over from ADFS using following procedures ( in this case , we built a new server to host Azure AD with PTA)


1. Disabled the staged roll-out (rolled out for about 20 users)

2. Performed Azure AD Swing Migration -

3. Performed the migration from ADFS to PTA - Download the document Migrate from AD FS to Pass-through Authentication 


The above procedures were flawless and we are able to migrate without any issues.




Version history
Last update:
‎Jul 24 2020 01:26 AM
Updated by: