cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Mitsui said goodbye to ADFS using Azure AD staged rollout
By
Sue Bohn
Published Dec 17 2019 10:30 AM 29.1K Views
Sue Bohn
Microsoft
‎Dec 17 2019 10:30 AM

Mitsui said goodbye to ADFS using Azure AD staged rollout

‎Dec 17 2019 10:30 AM

Hello!

 

I love it when customers meet their business goals using newly available identity capabilities! This post in the ‘Voice of the Customer’ series is such a story. Mr. Ichinose, IT Manager Mitsui & Co and Mr. Saze, Project Manager, Mitsui Knowledge Industry, describe how Azure Active Directory (Azure AD) staged rollout simplified the transition from Active Directory Federation Services to Azure AD authentication. Mitsui & Co. is a company with offices and customers all over the globe. If you are curious about how a large company transitioned users from a legacy system to Azure AD with ZERO support calls, this post is for you.

 

 

Minimize user disruption with Azure AD staged rollout

By Mr. Ichinose, IT Manager, Mitsui & Co. and Mr. Saze, Project Manager, Mitsui Knowledge Industry

 

Mitsui3.PNG

We believe that a successful transition to cloud-based services hinges on a well-designed identity strategy. The cloud can empower creativity and productivity. But only if authentication is secure and services are easy to access. In our roles as the IT Manager at Mitsui and Project Manager at Mitsui Knowledge Industry, we needed to migrate user authentication off Active Directory Federation Services to support our digital transformation goals. Azure AD staged rollout simplified the process for users and IT administrators.

 

Mitsui & Co., headquartered in Japan, is a global company that invests in businesses across several product lines in 66 countries and regions. Like many multinational companies founded in the 20th century, the company’s business processes are built on legacy systems and assets. Mitsui Knowledge Industries is a 100% subsidiary of Mitsui & Co that supports IT infrastructure, planning and implementation of digital transformation initiatives for its parent company. We selected Azure AD based cloud authentication for the following reasons:

 

Cloud authentication is more secure than federated authentication.

High availability and disaster recovery offered by Microsoft Azure

Cost reductions associated with eliminating Active Directory Federation Services servers and proxy servers.

 

A thoughtful migration plan resulted in zero support calls


Azure AD Staged rollout gave us the tools to implement a well-planned cutover. Once we set up modern authentication and Conditional Access, we created a test environment and split our users into groups. We tested our implementation of Azure AD with small groups. We evaluated how each step affected users and made changes as we went. This process simplified testing for our IT administrators.

 

When we rolled out the new authentication model to larger groups, our users also benefited from the early testing process. We did not invest in any education before we began this initiative, but because we took a slow deliberate approach, users were able to transition to Azure AD authentication easily. In fact, we received zero support calls.

 

Figure 1 shows Azure AD Staged Rollout enabled in Azure AD ConnectFigure 1 shows Azure AD Staged Rollout enabled in Azure AD Connect

 

Azure AD accelerated SaaS Integration

When we selected cloud authentication, we expected to reduce costs, improve high availability, and remove burdensome server management from our IT administrators. These goals were realized. One benefit that we didn’t anticipate: it is now much easier to integrate Software as a Service (SaaS) apps. Before the migration, we integrated four apps over six years. Since moving to Azure AD we’ve onboarded 20 apps in six months! A huge productivity gain.

 

Figure 2: Azure AD supports more than 2,800 pre-integrated software as a service (SaaS) applications.Figure 2: Azure AD supports more than 2,800 pre-integrated software as a service (SaaS) applications.

 

 

Next up: Shifting to a Zero Trust model

Our partners in the Microsoft Identity PM team were instrumental in helping us migrate from Active Directory Federation Services to Azure AD. We work with a lot of vendors, and the Microsoft Identity PM team is special. It is rare for a partner to be so involved from start to finish. Together we have enabled single sign-on, conditional access policies, and privileged identity management to better secure our identities.

 

Moving forward, we are collaborating with Microsoft to move towards passworldess and eventually a Zero Trust model. These initiatives include:

  • Password policy modernization
  • Self-service password reset
  • Passwordless implementation across the organization

 

 

Learn more

I hope the Mitsui & Co. story inspired you to investigate Azure AD staged rollout. If you are looking for other tips from our customers, take a look at the other stories in the ‘Voice of the Customer’ series.

 

15 Comments
Jeff Hutto
Copper Contributor
‎Dec 18 2019 06:37 AM
‎Dec 18 2019 06:37 AM
What end-user licenses are required for this?
0 Likes
Like
Imdoody
Copper Contributor
‎Dec 18 2019 11:48 AM
‎Dec 18 2019 11:48 AM

Pretty sure they'll need azure premium 1  lic. Which is also a part of the EMS lic package.

It is not included in just office 365 E1 or E3. 

0 Likes
Like
EMSJP
Copper Contributor
‎Dec 18 2019 05:46 PM
‎Dec 18 2019 05:46 PM

This is a great article. I want to know more detailed information. Is there a limit to the number of users that can be initially migrated with Azure AD staged rollout?

0 Likes
Like
Abbypdv
Copper Contributor
‎Dec 18 2019 06:22 PM
‎Dec 18 2019 06:22 PM

The users would need either a Azure AD P1 OR P2 OR EMS+E3 OR EMS+E5 licences.

Abbypdv
Copper Contributor
‎Dec 18 2019 06:29 PM
‎Dec 18 2019 06:29 PM

You can migrate around 200 members initially by adding them to a group to avoid a UX timeout. See below article for detailed information

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout

Raja_Yogesh
Copper Contributor
‎Dec 18 2019 07:52 PM
‎Dec 18 2019 07:52 PM

Great article, Nice to know about Staged roll out through AADC.

0 Likes
Like
Lyooba
Copper Contributor
‎Dec 19 2019 01:36 AM
‎Dec 19 2019 01:36 AM
Privileged Identity Management is a feature of AAD P2, if I'm not mistaken
Andy Hildebrand
Copper Contributor
‎Dec 24 2019 11:35 AM
‎Dec 24 2019 11:35 AM

After the initial 200 user upload, how many users can be added to the group in a single upload or is it unlimited? 

0 Likes
Like
Anthony Cotton
Brass Contributor
‎Jan 09 2020 03:31 AM
‎Jan 09 2020 03:31 AM

Is there a process to approve SaaS Integrations? As a business, we're concerned where our data can go, once it's outside of our environment. See the following from Krebs about phishing for access, bypassing passwords and MFA...
https://krebsonsecurity.com/2020/01/tricky-phish-angles-for-persistence-not-passwords/

0 Likes
Like
VoltaireV
Copper Contributor
‎Mar 03 2020 09:47 PM
‎Mar 03 2020 09:47 PM

Is there a detailed information on this? I am interested to know how they completed the production cut-over from the staged rollout? 

0 Likes
Like
Severin Hotz
Copper Contributor
‎Mar 06 2020 06:24 AM
‎Mar 06 2020 06:24 AM

I would also be interested in the information how to finalize.

Do i just need to switch it on the ad connect server? Or disable the staged rollout first and then do the switch?

0 Likes
Like
Abbypdv
Copper Contributor
‎Apr 29 2020 07:30 AM
‎Apr 29 2020 07:30 AM

When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required.

0 Likes
Like
skipster3115
Copper Contributor
‎May 01 2020 08:22 AM
‎May 01 2020 08:22 AM

What is not clear from this is if PHS was deployed or PTA ? Would have been more useful if we knew what method was deployed?  I like the idea of PHS, however for large organizations 15,000 users i dont know how you get around some of the PHS limitations ?

 

  1. locked onprem account not respected in Azure
  2. change password at next logon is not respected in Azure

2.a) If we used Azure “SSPR” and turned on password writeback, then this setting would be respected in Azure AD . Sadly we do not use “SSPR”

  1. restricted logon hours not respected in Azure
  2. password is expired not respected in Azure
0 Likes
Like
Nargg
Brass Contributor
‎Sep 03 2020 11:29 AM
‎Sep 03 2020 11:29 AM

Just FYI folks, we are using only the Microsoft 365 Business (standard and premium) accounts, and the staged rollout appears to be available for us.  That means we can do this with only the basic AAD license that the business account gives us.  I've not tested it yet, but all the functions appear to be there.  If this does work as expected, we plan to move a simple local AD set of users to AAD/cloud only authentication and eventually remove our local AD structure.

0 Likes
Like
VoltaireV
Copper Contributor
‎Sep 04 2020 12:30 AM
‎Sep 04 2020 12:30 AM

Just did the PTA switch over from ADFS using following procedures ( in this case , we built a new server to host Azure AD with PTA)

 

1. Disabled the staged roll-out (rolled out for about 20 users)

2. Performed Azure AD Swing Migration - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version

3. Performed the migration from ADFS to PTA - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start#:~:tex.... Download the document Migrate from AD FS to Pass-through Authentication 

 

The above procedures were flawless and we are able to migrate without any issues.

 

 

 

0 Likes
Like
Version history
Last update:
‎Jul 24 2020 01:26 AM
Updated by: