Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1072059%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20new%20capability%20staged%20user%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072059%22%20slang%3D%22en-US%22%3EWhat%20end-user%20licenses%20are%20required%20for%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072720%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20user%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072720%22%20slang%3D%22en-US%22%3E%3CP%3EPretty%20sure%20they'll%20need%20azure%20premium%201%26nbsp%3B%20lic.%20Which%20is%20also%20a%20part%20of%20the%20EMS%20lic%20package.%3C%2FP%3E%3CP%3EIt%20is%20not%20included%20in%20just%20office%20365%20E1%20or%20E3.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073234%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073234%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20article.%20I%20want%20to%20know%20more%20detailed%20information.%20Is%20there%20a%20limit%20to%20the%20number%20of%20users%20that%20can%20be%20initially%20migrated%20with%20Azure%20AD%20staged%20rollout%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073250%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073250%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20users%20would%20need%20either%20a%20Azure%20AD%20P1%20OR%20P2%20OR%20EMS%2BE3%20OR%20EMS%2BE5%20licences.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073255%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073255%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20migrate%20around%20200%20members%20initially%20by%20adding%20them%20to%20a%20group%20to%20avoid%20a%20UX%20timeout.%20See%20below%20article%20for%20detailed%20information%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073307%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073307%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article%2C%20Nice%20to%20know%20about%20Staged%20roll%20out%20through%20AADC.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073642%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073642%22%20slang%3D%22en-US%22%3EPrivileged%20Identity%20Management%20is%20a%20feature%20of%20AAD%20P2%2C%20if%20I'm%20not%20mistaken%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827851%22%20slang%3D%22en-US%22%3EMitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827851%22%20slang%3D%22en-US%22%3E%3CP%3E%3CI%3EHello!%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3EI%20love%20it%20when%20customers%20meet%20their%20business%20goals%20using%20newly%20available%20identity%20capabilities!%20This%20post%20in%20the%20%E2%80%98Voice%20of%20the%20Customer%E2%80%99%20series%20is%20such%20a%20story.%20Mr.%20Ichinose%2C%20IT%20Manager%20Mitsui%20%26amp%3B%20Co%20and%20Mr.%20Saze%2C%20Project%20Manager%2C%20Mitsui%20Knowledge%20Industry%2C%20describe%20how%20Azure%20Active%20Directory%20(Azure%20AD)%20staged%20rollout%20simplified%20the%20transition%20from%20Active%20Directory%20Federation%20Services%20to%20Azure%20AD%20authentication.%20Mitsui%20%26amp%3B%20Co.%20is%20a%20company%20with%20offices%20and%20customers%20all%20over%20the%20globe.%20If%20you%20are%20curious%20about%20how%20a%20large%20company%20transitioned%20users%20from%20a%20legacy%20system%20to%20Azure%20AD%20with%20ZERO%20support%20calls%2C%20this%20post%20is%20for%20you.%20%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1438624998%22%20id%3D%22toc-hId--1438624998%22%20id%3D%22toc-hId--1438624998%22%20id%3D%22toc-hId--1438624998%22%3EMinimize%20user%20disruption%20with%20Azure%20AD%20staged%20rollout%3C%2FH2%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EBy%20Mr.%20Ichinose%2C%20IT%20Manager%2C%20Mitsui%20%26amp%3B%20Co.%20and%20Mr.%20Saze%2C%20Project%20Manager%2C%20Mitsui%20Knowledge%20Industry%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20938px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162197iC5C9DF91B20FB021%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Mitsui3.PNG%22%20title%3D%22Mitsui3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWe%20believe%20that%20a%20successful%20transition%20to%20cloud-based%20services%20hinges%20on%20a%20well-designed%20identity%20strategy.%20The%20cloud%20can%20empower%20creativity%20and%20productivity.%20But%20only%20if%20authentication%20is%20secure%20and%20services%20are%20easy%20to%20access.%20In%20our%20roles%20as%20the%20IT%20Manager%20at%20Mitsui%20and%20Project%20Manager%20at%20Mitsui%20Knowledge%20Industry%2C%20we%20needed%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fplan-migrate-adfs-password-hash-sync%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emigrate%20user%20authentication%20off%20Active%20Directory%20Federation%20Services%3C%2FA%3E%20to%20support%20our%20digital%20transformation%20goals.%20Azure%20AD%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-Identity%2FStaged-rollout-to-cloud-authentication-now-in-public-preview%2Fba-p%2F827830%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Estaged%20rollout%3C%2FA%3E%20simplified%20the%20process%20for%20users%20and%20IT%20administrators.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EMitsui%20%26amp%3B%20Co.%2C%20headquartered%20in%20Japan%2C%20is%20a%20global%20company%20that%20invests%20in%20businesses%20across%20several%20product%20lines%20in%2066%20countries%20and%20regions.%20Like%20many%20multinational%20companies%20founded%20in%20the%2020th%20century%2C%20the%20company%E2%80%99s%20business%20processes%20are%20built%20on%20legacy%20systems%20and%20assets.%20Mitsui%20Knowledge%20Industries%20is%20a%20100%25%20subsidiary%20of%20Mitsui%20%26amp%3B%20Co%20that%20supports%20IT%20infrastructure%2C%20planning%20and%20implementation%20of%20digital%20transformation%20initiatives%20for%20its%20parent%20company.%20We%20selected%20Azure%20AD%20based%20cloud%20authentication%20for%20the%20following%20reasons%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ECloud%20authentication%20is%20more%20secure%20than%20federated%20authentication.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EHigh%20availability%20and%20disaster%20recovery%20offered%20by%20Microsoft%20Azure%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3ECost%20reductions%20associated%20with%20eliminating%20Active%20Directory%20Federation%20Services%20servers%20and%20proxy%20servers.%3C%2FFONT%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1048887835%22%20id%3D%22toc-hId-1048887835%22%20id%3D%22toc-hId-1048887835%22%20id%3D%22toc-hId-1048887835%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--758566628%22%20id%3D%22toc-hId--758566628%22%20id%3D%22toc-hId--758566628%22%20id%3D%22toc-hId--758566628%22%3EA%20thoughtful%20migration%20plan%20resulted%20in%20zero%20support%20calls%3C%2FH2%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Staged%20rollout%3C%2FA%3E%20gave%20us%20the%20tools%20to%20implement%20a%20well-planned%20cutover.%20Once%20we%20set%20up%20modern%20authentication%20and%20Conditional%20Access%2C%20we%20created%20a%20test%20environment%20and%20split%20our%20users%20into%20groups.%20We%20tested%20our%20implementation%20of%20Azure%20AD%20with%20small%20groups.%20We%20evaluated%20how%20each%20step%20affected%20users%20and%20made%20changes%20as%20we%20went.%20This%20process%20simplified%20testing%20for%20our%20IT%20administrators.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWhen%20we%20rolled%20out%20the%20new%20authentication%20model%20to%20larger%20groups%2C%20our%20users%20also%20benefited%20from%20the%20early%20testing%20process.%20We%20did%20not%20invest%20in%20any%20education%20before%20we%20began%20this%20initiative%2C%20but%20because%20we%20took%20a%20slow%20deliberate%20approach%2C%20users%20were%20able%20to%20transition%20to%20Azure%20AD%20authentication%20easily.%20In%20fact%2C%20we%20received%20zero%20support%20calls.%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162180i79A3533ABCCA49F7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Mitsui1.PNG%22%20title%3D%22Mitsui1.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201%20shows%20Azure%20AD%20Staged%20Rollout%20enabled%20in%20Azure%20AD%20Connect%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1728946205%22%20id%3D%22toc-hId-1728946205%22%20id%3D%22toc-hId-1728946205%22%20id%3D%22toc-hId-1728946205%22%3EAzure%20AD%20accelerated%20SaaS%20Integration%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FH2%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EWhen%20we%20selected%20cloud%20authentication%2C%20we%20expected%20to%20reduce%20costs%2C%20improve%20high%20availability%2C%20and%20remove%20burdensome%20server%20management%20from%20our%20IT%20administrators.%20These%20goals%20were%20realized.%20One%20benefit%20that%20we%20didn%E2%80%99t%20anticipate%3A%20it%20is%20now%20much%20easier%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eintegrate%20Software%20as%20a%20Service%20(SaaS)%20apps%3C%2FA%3E.%20Before%20the%20migration%2C%20we%20integrated%20four%20apps%20over%20six%20years.%20Since%20moving%20to%20Azure%20AD%20we%E2%80%99ve%20onboarded%2020%20apps%20in%20six%20months!%20A%20huge%20productivity%20gain.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162182iB86D12BF0E607201%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Mitsui2.PNG%22%20title%3D%22Mitsui2.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202%3A%20Azure%20AD%20supports%20more%20than%202%2C800%20pre-integrated%20software%20as%20a%20service%20(SaaS)%20applications.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--78508258%22%20id%3D%22toc-hId--78508258%22%20id%3D%22toc-hId--78508258%22%20id%3D%22toc-hId--78508258%22%3ENext%20up%3A%20Shifting%20to%20a%20Zero%20Trust%20model%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FH2%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EOur%20partners%20in%20the%20Microsoft%20Identity%20PM%20team%20were%20instrumental%20in%20helping%20us%20migrate%20from%20Active%20Directory%20Federation%20Services%20to%20Azure%20AD.%20We%20work%20with%20a%20lot%20of%20vendors%2C%20and%20the%20Microsoft%20Identity%20PM%20team%20is%20special.%20It%20is%20rare%20for%20a%20partner%20to%20be%20so%20involved%20from%20start%20to%20finish.%20Together%20we%20have%20enabled%20single%20sign-on%2C%20conditional%20access%20policies%2C%20and%20privileged%20identity%20management%20to%20better%20secure%20our%20identities.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3EMoving%20forward%2C%20we%20are%20collaborating%20with%20Microsoft%20to%20move%20towards%20passworldess%20and%20eventually%20a%20Zero%20Trust%20model.%20These%20initiatives%20include%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EPassword%20policy%20modernization%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3ESelf-service%20password%20reset%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20size%3D%224%22%3EPasswordless%20implementation%20across%20the%20organization%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%224%22%3ELearn%20more%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EI%20hope%20the%20Mitsui%20%26amp%3B%20Co.%20story%20inspired%20you%20to%20investigate%20Azure%20AD%20staged%20rollout.%20If%20you%20are%20looking%20for%20other%20tips%20from%20our%20customers%2C%20take%20a%20look%20at%20the%20other%20stories%20in%20the%20%E2%80%98Voice%20of%20the%20Customer%E2%80%99%20series.%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-827851%22%20slang%3D%22en-US%22%3E%3CP%3EGlobal%20investment%20company%2C%20Mitsui%20simplified%20its%20transition%20from%20Active%20Directory%20Federation%20Services%20to%20Azure%20AD%20authentication%20using%20Azure%20AD%20staged%20rollout.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162178iC064F6F2C7E01289%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Mitsui_teaser.PNG%22%20title%3D%22Mitsui_teaser.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-827851%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECustomer%20and%20Partner%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1080390%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080390%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20the%20initial%20200%20user%20upload%2C%20how%20many%20users%20can%20be%20added%20to%20the%20group%20in%20a%20single%20upload%20or%20is%20it%20unlimited%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098578%22%20slang%3D%22en-US%22%3ERe%3A%20Mitsui%20said%20goodbye%20to%20ADFS%20using%20Azure%20AD%20staged%20rollout%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098578%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20process%20to%20approve%20SaaS%20Integrations%3F%20As%20a%20business%2C%20we're%20concerned%20where%20our%20data%20can%20go%2C%20once%20it's%20outside%20of%20our%20environment.%20See%20the%20following%20from%20Krebs%20about%20phishing%20for%20access%2C%20bypassing%20passwords%20and%20MFA...%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fkrebsonsecurity.com%2F2020%2F01%2Ftricky-phish-angles-for-persistence-not-passwords%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fkrebsonsecurity.com%2F2020%2F01%2Ftricky-phish-angles-for-persistence-not-passwords%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello!

 

I love it when customers meet their business goals using newly available identity capabilities! This post in the ‘Voice of the Customer’ series is such a story. Mr. Ichinose, IT Manager Mitsui & Co and Mr. Saze, Project Manager, Mitsui Knowledge Industry, describe how Azure Active Directory (Azure AD) staged rollout simplified the transition from Active Directory Federation Services to Azure AD authentication. Mitsui & Co. is a company with offices and customers all over the globe. If you are curious about how a large company transitioned users from a legacy system to Azure AD with ZERO support calls, this post is for you.

 

 

Minimize user disruption with Azure AD staged rollout

By Mr. Ichinose, IT Manager, Mitsui & Co. and Mr. Saze, Project Manager, Mitsui Knowledge Industry

 

Mitsui3.PNG

We believe that a successful transition to cloud-based services hinges on a well-designed identity strategy. The cloud can empower creativity and productivity. But only if authentication is secure and services are easy to access. In our roles as the IT Manager at Mitsui and Project Manager at Mitsui Knowledge Industry, we needed to migrate user authentication off Active Directory Federation Services to support our digital transformation goals. Azure AD staged rollout simplified the process for users and IT administrators.

 

Mitsui & Co., headquartered in Japan, is a global company that invests in businesses across several product lines in 66 countries and regions. Like many multinational companies founded in the 20th century, the company’s business processes are built on legacy systems and assets. Mitsui Knowledge Industries is a 100% subsidiary of Mitsui & Co that supports IT infrastructure, planning and implementation of digital transformation initiatives for its parent company. We selected Azure AD based cloud authentication for the following reasons:

 

Cloud authentication is more secure than federated authentication.

High availability and disaster recovery offered by Microsoft Azure

Cost reductions associated with eliminating Active Directory Federation Services servers and proxy servers.

 

A thoughtful migration plan resulted in zero support calls


Azure AD Staged rollout gave us the tools to implement a well-planned cutover. Once we set up modern authentication and Conditional Access, we created a test environment and split our users into groups. We tested our implementation of Azure AD with small groups. We evaluated how each step affected users and made changes as we went. This process simplified testing for our IT administrators.

 

When we rolled out the new authentication model to larger groups, our users also benefited from the early testing process. We did not invest in any education before we began this initiative, but because we took a slow deliberate approach, users were able to transition to Azure AD authentication easily. In fact, we received zero support calls.

 

Mitsui1.PNGFigure 1 shows Azure AD Staged Rollout enabled in Azure AD Connect

 

Azure AD accelerated SaaS Integration

When we selected cloud authentication, we expected to reduce costs, improve high availability, and remove burdensome server management from our IT administrators. These goals were realized. One benefit that we didn’t anticipate: it is now much easier to integrate Software as a Service (SaaS) apps. Before the migration, we integrated four apps over six years. Since moving to Azure AD we’ve onboarded 20 apps in six months! A huge productivity gain.

 

Mitsui2.PNGFigure 2: Azure AD supports more than 2,800 pre-integrated software as a service (SaaS) applications.

 

 

Next up: Shifting to a Zero Trust model

Our partners in the Microsoft Identity PM team were instrumental in helping us migrate from Active Directory Federation Services to Azure AD. We work with a lot of vendors, and the Microsoft Identity PM team is special. It is rare for a partner to be so involved from start to finish. Together we have enabled single sign-on, conditional access policies, and privileged identity management to better secure our identities.

 

Moving forward, we are collaborating with Microsoft to move towards passworldess and eventually a Zero Trust model. These initiatives include:

  • Password policy modernization
  • Self-service password reset
  • Passwordless implementation across the organization

 

 

Learn more

I hope the Mitsui & Co. story inspired you to investigate Azure AD staged rollout. If you are looking for other tips from our customers, take a look at the other stories in the ‘Voice of the Customer’ series.

 

9 Comments
Regular Visitor
What end-user licenses are required for this?
Occasional Visitor

Pretty sure they'll need azure premium 1  lic. Which is also a part of the EMS lic package.

It is not included in just office 365 E1 or E3. 

Regular Visitor

This is a great article. I want to know more detailed information. Is there a limit to the number of users that can be initially migrated with Azure AD staged rollout?

Occasional Visitor

The users would need either a Azure AD P1 OR P2 OR EMS+E3 OR EMS+E5 licences.

Occasional Visitor

You can migrate around 200 members initially by adding them to a group to avoid a UX timeout. See below article for detailed information

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

Occasional Visitor

Great article, Nice to know about Staged roll out through AADC.

Occasional Visitor
Privileged Identity Management is a feature of AAD P2, if I'm not mistaken
Senior Member

After the initial 200 user upload, how many users can be added to the group in a single upload or is it unlimited? 

Senior Member

Is there a process to approve SaaS Integrations? As a business, we're concerned where our data can go, once it's outside of our environment. See the following from Krebs about phishing for access, bypassing passwords and MFA...
https://krebsonsecurity.com/2020/01/tricky-phish-angles-for-persistence-not-passwords/