Home
%3CLINGO-SUB%20id%3D%22lingo-sub-965028%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-965028%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20cool.%20We%20are%20on%20the%20edge%20of%20dooing%20a%20cutover%20migration%2C%20but%20now%20we%20can%20try%20it%20out%20in%20the%20production%20enviroment%20before%20the%20cutover%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EAlex%20Simons%20(AZURE)%26nbsp%3B%26nbsp%3B%20are%20there%20any%20concerns%20of%20enabling%20the%20staged%20rollout%20in%20a%20production%20tenant%3F%3CBR%20%2F%3E(It%20is%20a%20preview%20feature)%2C%20but%20if%20only%20it%20is%20the%20experience%20of%20an%20migrated%20user%20that%20%22may%20be%22%20impacted%20of%20the%20preview%20statement.%20then%20i%20have%20no%20concerns%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-966138%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-966138%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F151618%22%20target%3D%22_blank%22%3E%40Micki%20Wulffeld%3C%2FA%3E%20-%20Yes%2C%20this%20is%20meant%20for%20production%20use%20and%20is%20only%20applied%20to%20the%20user%20who%20is%20enabled%20for%20staged%20rollout%20and%20not%20the%20entire%20federated%20domain.%20We%20had%20close%20to%20hundred%20customers%20who%20did%20this%20during%20private%20preview%20before%20they%20could%20cut%20over.%20You%20can%20reach%20out%20to%20me%20at%20jitheshr%40microsoft.com%20if%20you%20have%20any%20questions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-969517%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-969517%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20already%20have%20our%20O365%20auth%20switched%20to%20Passord%20Hash%2FSSO%2C%20however%20we%20still%20have%26nbsp%3B%20ton%20of%203rd%20party%20SAAS%20apps%20(ServiceNow%20for%20example)%20using%20ADFS%2C%20however%20they%20are%20setup%20to%20go%20to%20to%20the%20on-prem%20ADFS%20server%20directly%2C%20so%20in%20that%20cause%20I%20would%20not%20be%20able%20to%20use%20the%20Staged%20rollout%20since%20I%20have%20to%20work%20with%20the%20SAAS%20vendor%20to%20point%20to%20Azure%20AD%20instead%20of%20our%20ADFS%20server%3F%26nbsp%3B%20If%20so%20is%20there%20an%20easy%20way%20to%20migrate%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-827830%22%20slang%3D%22en-US%22%3EStaged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827830%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%3CSPAN%3E%E2%80%99%3C%2FSPAN%3Em%20excited%20to%20announce%20%3CSPAN%3Ethat%20%3C%2FSPAN%3Ethe%20staged%20rollout%20to%20cloud%20authentication%20is%20now%20available%20in%20%3CSPAN%3Ep%3C%2FSPAN%3Eublic%20%3CSPAN%3Ep%3C%2FSPAN%3Ereview%3CSPAN%3E.%20%3C%2FSPAN%3E%3CSPAN%3EThis%20feature%3C%2FSPAN%3E%20allows%20you%20to%20migrate%20your%20users%E2%80%99%20authentication%20from%20federation%3CSPAN%3E%E2%80%94%3C%2FSPAN%3Evia%20AD%20FS%2C%20Ping%20Federate%2C%20Okta%2C%20or%20any%20other%20federation%20on-premises%20system%3CSPAN%3E%E2%80%94%3C%2FSPAN%3Eto%20cloud%20authentication%20in%20a%20staged%20and%20controlled%20manner.%20More%20than%20100%20customers%20have%20used%20this%20feature%20to%20successfully%20cutover%20to%20cloud%20authentication%20during%20our%20private%20preview.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMoving%20your%20Azure%20AD%20authentication%20from%20federation%20on-premises%20to%20the%20cloud%20allows%20you%20to%20manage%20user%20and%20device%20sign-in%20from%20your%20control%20plane%20in%20Azure%20AD.%20You%3CSPAN%3E%E2%80%99%3C%2FSPAN%3Ell%20benefit%20from%20reducing%20the%20dependency%20on%20on-premises%20infrastructure%2C%20which%20typically%20includes%20a%20farm%20of%20servers%20and%20proxies%20that%20need%20to%20be%20accessible%20from%20the%20%3CSPAN%3Ei%3C%2FSPAN%3Enternet.%20You%20won%E2%80%99t%20need%20to%20worry%20about%20patching%20of%20servers%2C%20availability%20and%20reliability%20of%20the%20authentication%20service%2C%20or%20managing%20ports%20on%20a%20firewall.%20In%20addition%2C%20you%20could%20also%20use%20staged%20rollout%20to%20move%20from%20a%20federated%20cloud%20identity%20provider%20to%20Azure%20AD%20authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20helps%20you%20to%20avoid%20a%20cutover%20of%20your%20entire%20domain%20and%20selectively%20testing%20on%20a%20group%20of%20users%20to%20use%20cloud%20authentication%20capabilities%20like%20Azure%20%3CSPAN%3EMu%3C%2FSPAN%3E%3CSPAN%3Elti-Factor%20Authentication%20(%3C%2FSPAN%3EMFA%3CSPAN%3E)%3C%2FSPAN%3E%2C%20Conditional%20Access%2C%20Identity%20Protection%20for%20leaked%20credentials%2C%20Identity%20Governance%2C%20and%20others.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%20id%3D%22toc-hId-1623811764%22%3ELearn%20more%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3ECheck%20out%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-staged-rollout%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%20t%3CSPAN%3Eo%20learn%20more%20about%20this%20feature%20and%20its%20prerequisites.%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EWatch%20the%20video%20%3CSPAN%3Eto%3C%2FSPAN%3E%3CSPAN%3E%20see%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fvideoplayer%2Fembed%2FRE3inQJ%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewhat%20is%20staged%20rollout%20in%20Azure%20AD%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fvideoplayer%2Fembed%2FRE3inQJ%22%20width%3D%22995px%22%20height%3D%22600px%22%20name%3D%22embedVideo%22%20frameborder%3D%220%22%20scrolling%3D%22no%22%20allowfullscreen%3D%22allowfullscreen%22%20style%3D%22border%3A%200px%20%23ffffff%20none%3B%22%20marginheight%3D%220px%22%20marginwidth%3D%220px%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EW%3CSPAN%3Eatch%20this%20video%20%3C%2FSPAN%3Et%3CSPAN%3Eo%20learn%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.microsoft.com%252Fen-us%252Fvideoplayer%252Fembed%252FRE3jqL0%26amp%3Bdata%3D02%257C01%257Cjairoc%2540microsoft.com%257Ca375911c800347c40d9308d74d0ab3ba%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637062580690504762%26amp%3Bsdata%3DC%252FMhNnAlD44r%252F5WjBQ2l6VoBkRbVcMlc%252BYDWzSom2Cg%253D%26amp%3Breserved%3D0%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3Eh%3C%2FSPAN%3Eow%20to%20configure%20staged%20rollout%20in%20Azure%20A%3C%2FA%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.microsoft.com%252Fen-us%252Fvideoplayer%252Fembed%252FRE3jqL0%26amp%3Bdata%3D02%257C01%257Cjairoc%2540microsoft.com%257Ca375911c800347c40d9308d74d0ab3ba%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637062580690504762%26amp%3Bsdata%3DC%252FMhNnAlD44r%252F5WjBQ2l6VoBkRbVcMlc%252BYDWzSom2Cg%253D%26amp%3Breserved%3D0%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ED%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%60%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fvideoplayer%2Fembed%2FRE3jqL0%22%20width%3D%22995px%22%20height%3D%22600px%22%20name%3D%22embedVideo%22%20frameborder%3D%220%22%20scrolling%3D%22no%22%20allowfullscreen%3D%22allowfullscreen%22%20style%3D%22border%3A%200px%20%23ffffff%20none%3B%22%20marginheight%3D%220px%22%20marginwidth%3D%220px%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EAlex%20Simons%20(%3C%2FSPAN%3E%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Ftwitter.com%2FAlex_A_Simons%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40Alex_A_Simons%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%20)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-827830%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20319px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151879iE72F03F72918679D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Staged%20rollout%20to%20cloud%20authentication%20teaser.png%22%20title%3D%22Staged%20rollout%20to%20cloud%20authentication%20teaser.png%22%20%2F%3E%3C%2FSPAN%3EYour%20journey%20to%20cloud%20authentication%20is%20now%20even%20easier.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-827830%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-970597%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-970597%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20apply%20if%20we%20wanted%20to%20migrate%20just%20from%20on-prem%20MFA%20server%20to%20the%20Azure%20cloud%20MFA%3F%20Are%20there%20any%20other%20requirements%20%2F%20prerequisites%20for%20doing%20this%20so%20the%20user%20will%20NOT%20have%20to%20re-register%20for%20MFA%20(keep%20the%20same%20user%20settings%20as%20configured%20on%20the%20on-prem%20MFA%20server)%20%3F%20And%20the%20same%20question%20that%20Daniel%20Schmidt%20applies%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-973831%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-973831%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F14035%22%20target%3D%22_blank%22%3E%40Daniel%3C%2FA%3E%20-%20yes%20this%20is%20not%20used%20for%20ADFS%20federations%20of%20apps.%20The%20feature%20is%20to%20only%20help%20you%20with%20Cloud%20Authentication%20of%20your%20Office%20365%20RelyingParty.%20After%20using%20staged%20rollout%20for%20a%20group%20of%20users%2C%20it%20would%20easier%20for%20you%20to%20switch%20from%20Office%20365%20federation%20with%20ADFS%20to%20cloud%20authentication.%20For%20migrating%20your%20apps%20from%20ADFS%20to%20AzureAD%20-%20look%20at%20this%20space%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fmigrate-adfs-apps-to-azure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fmigrate-adfs-apps-to-azure%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-973860%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-973860%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B-%20If%20you%20are%20using%20Azure%20MFA%20sever%2C%20then%20moving%20the%20user%20to%20staged%20rollout%20will%20block%20the%20user%20as%20mentioned%20in%20our%20docs.%20You%20will%20need%20to%20move%20users%20off%20of%20MFA%20server%20to%20Azure%20MFA%20before%20using%20staged%20rollout%20for%20testing%20cloud%20authentication.%20This%20scenario%20is%20also%20something%20we%20highlight%20when%20considering%20cloud%20authentication.%20Any%20on-premises%20dependencies%20needs%20to%20be%20handled%20before%20considering%20cloud%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-977905%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977905%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20we%20activated%20it%2C%20we%20found%20that%20when%20typing%20%3CA%20href%3D%22https%3A%2F%2Fwebmail.ourdomain.dk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwebmail.ourdomain.dk%3C%2FA%3E%20Or%20just%20%3CA%20href%3D%22http%3A%2F%2Fmail.outdomain.dk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmail.outdomain.dk%3C%2FA%3E%20%2C%20that%20are%20CNAME%20to%20outlook.com%2C%20we%20end%20up%20with%20our%20adfs%20server%20as%20sign%20in%20method%2C%20for%20users%20that%20are%20stage%20migrated.%3C%2FP%3E%3CP%3ESo%20the%20domain%20conversion%20MS%20are%20doing%20is%20not%20redirecting%20to%20Cloud%20auth.%20(preview%20problem%20i%20guess)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThought%20it%20is%20working%20if%20you%20convert%20the%20whole%20domain%20(%20i%20tested%20in%20our%20test%20tenant)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-977931%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-977931%22%20slang%3D%22en-US%22%3E%40Micki%20Domain_hints%20and%20HRD%20acceleration%20policies%20which%20are%20supplying%20domains%20hints%20are%20not%20supported%20with%20staged%20rollout.%20We%20documented%20it.%20Unsupported%20Scenarios%20These%20scenarios%20are%20not%20supported%20for%20staged%20rollout%3A%20Certain%20applications%20send%20the%20%22domain_hint%22%20query%20parameter%20to%20Azure%20AD%20during%20authentication.%20These%20flows%20will%20continue%20and%20users%20enabled%20for%20staged%20rollout%20will%20continue%20to%20use%20federation%20for%20authentication.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981715%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981715%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-982734%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-982734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53240%22%20target%3D%22_blank%22%3E%40Jithesh%20Raj%20(JR)%3C%2FA%3E-%20So%2C%20if%20we%20move%20the%20users%20from%20the%20on-prem%20MFA%20server%20to%20Azure%20MFA%2C%20that%20would%20mean%20that%20the%20users%20will%20need%20to%20re-register.%20That's%20exactly%20what%20we're%20trying%20to%20avoid%2C%20and%20would%20like%20to%20migrate%20the%20users%20to%20Azure%20MFA%20without%20having%20to%20re-register.%20Thought%20that%20Staged%20Rollout%20would%20help%20us%20achieve%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999095%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999095%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193664%22%20target%3D%22_blank%22%3E%40Cristian%20Calinescu%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%20Cloud%20Authentication%20(PHS%2FPTA)%20does%20not%20support%20Azure%20MFA%20Server%20and%20this%20is%20something%20we%20have%20documented.%20Staged%20Rollout%20is%20about%20helping%20you%20migrate%20users%20from%20federated%20IDP%20to%20Cloud%20Authentication%20ant%20not%20MFA%20migration.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999559%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999559%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53240%22%20target%3D%22_blank%22%3E%40Jithesh%20Raj%20(JR)%3C%2FA%3E%26nbsp%3B%20-%20That%20is%20the%20main%20reason%20we%20want%20to%20migrate%20to%20Azure%20MFA%20(cloud)%2C%20to%20be%20able%20to%20switch%20to%20modern%20authentication%2C%20but%20the%20main%20problem%20is%20that%20we%20don't%20want%20to%20have%20to%20cut%20off%20the%20users%20from%20Azure%20MFA%20Server(on-prem)%20and%20re-register%20all%20users%20to%20Azure%20MFA.%20And%2C%20currently%20there%20is%20no%20migration%20path%20for%20migrating%20users%20from%20on-prem%20MFA%20to%20Azure%20MFA.%20Hopefully%20Microsoft%20will%20provide%20some%20guidance%20in%20this%20scenario%20or%20develop%20a%20tool%20which%20will%20help%20with%20this%20kind%20of%20migration.%20Thank%20you%20for%20your%20reply%2C%20much%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-999787%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999787%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20awesome%20news.%20My%20Org%20is%20coming%20up%20quickly%20on%20cutting%20over%20to%20Cloud%20Authentication%2C%20so%20this%20preview%20is%20a%20huge%20win%20for%20us.%20I'll%20be%20completing%20the%20necessary%20setup%20this%20week%20and%20testing%20with%20some%20of%20our%20IT%20staff.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1001300%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001300%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20anyone%20are%20provisioning%20disabled%20user%20with%20%5BMust%20change%20pw%20nxt%20logon%5D%20AD%20Flag%2C%20and%20activating%20them%20later%2C%20you%20might%20run%20into%20PasswordHashSync%20problems.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FPowerShell-Basics-How-to-Force-a-Full-Password-Sync-in-AzureAD%2Fba-p%2F900063%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FPowerShell-Basics-How-to-Force-a-Full-Password-Sync-in-AzureAD%2Fba-p%2F900063%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023539%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023539%22%20slang%3D%22en-US%22%3E%3CP%3EI%20enabled%20this%20feature%20today%20as%20per%20the%20video%20guide%2C%20it%20still%20redirects%20to%20ADFS%20authentication%20page%20when%20using%20my%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20user%20account%20was%20added%20to%20a%20security%20group%20sync'd%20from%20on-prem%2C%20is%20it%20a%20requirement%20to%20use%20a%20365%20security%20group%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1023993%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1023993%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158321i336FF6A950E2F38E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53240%22%20target%3D%22_blank%22%3E%40Jithesh%20Raj%20(JR)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20anyone%20seeing%20this%20same%20experience%3F%20Suddently%20everyone%20is%20disabled%20from%20staged%20rollout%20feature.%20I%20cant%20trace%20any%20admin%20who%20could%20had%20done%20this.%20and%20just%20before%20the%20feature%20is%20removed%2C%20the%20Azure%20AD%20Application%20proxy%20(%20witch%20we%20have%20not%20installed%20yet)%20updated%20same%20users%3F%3F%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158322i49B50F83EB2133D2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1025220%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025220%22%20slang%3D%22en-US%22%3E%3CP%3Efollow%20up%20from%20my%20last%20post%2C%20the%20process%20just%20took%20time%20to%20take%20effect%20i%20tried%20this%20morning%20and%20my%20account%20now%20uses%20cloud%20authentication%20using%20password%20hash.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1025406%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025406%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20morning%20everyone%20are%20enabled%20again%20for%20staged%20rollout%26nbsp%3B%20%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53240%22%20target%3D%22_blank%22%3E%40Jithesh%20Raj%20(JR)%3C%2FA%3E%26nbsp%3Bwas%20there%20any%20issues%20regading%20this%20behaviour%3F%3C%2FP%3E%3CP%3EAnd%20again%20the%20coloumn%20%3A%20initiated%20by%20actor%20is%20empty%2C%20so%20its%20must%20be%20a%20%22system%22%20(behind%20the%20scenes)%20user%20who%20did%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158418i29E09999408562B6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041308%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041308%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20our%20users%20try%20to%20log%20on%20after%20being%20added%20to%20the%20staged%20rollout%2C%20they%20receive%20an%20error%20%3CSTRONG%3E%22%3C%2FSTRONG%3E%3CSPAN%3E%3CSTRONG%3EInvalid%20username%20or%20password%20or%20Invalid%20on-premise%20username%20or%20password.%22%3C%2FSTRONG%3E%205%20or%206%20times%20(or%20minutes)%20before%20they%20can%20log%20in%20successfully.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENot%20all%20users%20are%20facing%20this%20issue.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1051506%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1051506%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20Jithesh.%20thank%20you%20for%20sharing%20such%20an%20useful%20info%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1057945%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1057945%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20I%20successfully%20started%20staged%20rollout%2C%20I%20wanna%20dismiss%20ADFS%20authentication%20(5%20domains%20Federated%20in%20the%20same%20tenant)%20and%20move%20to%20PHS%2BSeamless%20SSO.%20I%20did't%20find%20anything%20about%20how%20to%20correctly%20cutoff%20ADFS%20while%20all%20users%20will%20be%20staged%20out.%3C%2FP%3E%3CP%3EI%20am%20plannning%20to%20move%20gradually%20domain%20by%20domain%20(creating%20a%20specific%20migration%20group%20with%20users%20of%20each%20domain)%20by%20Staged%20Rollout%20...%20and%20when%20all%20users%20have%20been%20tested%20which%20I%20suppose%20the%20next%20steps%20are%3C%2FP%3E%3CP%3E-%20run%26nbsp%3B%3CSPAN%20class%3D%22hljs-pscommand%22%3ESet-MsolDomainAuthentication%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-Authentication%3C%2FSPAN%3E%3CSPAN%3E%20Managed%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E%20-DomainName%3C%2FSPAN%3E%3CSPAN%3E%20%3CDOMAIN%20name%3D%22%22%3E%20for%20each%20rolled%20out%20domain%3C%2FDOMAIN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20remove%20the%20migrated%20group%20from%20Staged%20Rollout%20wizard%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20when%20all%20federated%20domains%20are%20migrated%2C%20turn%20off%20Staged%20Rollout%20Features%3CBR%20%2F%3EIs%20it%20correct%20to%20totally%20decommission%20Federated%20Authentication%20after%20Staged%20Rollout%3F%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1058652%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1058652%22%20slang%3D%22en-US%22%3E%3CP%3E%3CU%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F484054%22%20target%3D%22_blank%22%3E%40MassV%3C%2FA%3E%26nbsp%3B%20-%26nbsp%3B%3C%2FU%3E%20Your%20plan%20looks%20accurate.%20When%20you%20turn%20off%20staged%20rollout%2C%20remove%20the%20groups%20from%20staged%20rollout%20and%20then%20turn%20off%20using%20the%20ON%2FOFF%20sliders.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1058656%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1058656%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Super-Contributor%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F7187%22%20target%3D%22_blank%22%3E%40bart%20vermeersch%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B-%20The%20issue%20looks%20to%20be%20with%20Password%20Hash%20Sync%20and%20not%20staged%20rollout.%20Use%20out%20PHS%20troubleshooting%20tools%20mentioned%20here%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-password-hash-synchronization%23one-object-is-not-synchronizing-passwords-troubleshoot-by-using-the-troubleshooting-task%26nbsp%3B%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Ftshoot-connect-password-hash-synchronization%23one-object-is-not-synchronizing-passwords-troubleshoot-by-using-the-troubleshooting-task%26nbsp%3B%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063924%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063924%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20enabled%20Staged%20rollout%20using%20PHS%20%26amp%3B%20Seamless%20SSO.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPHS%20is%20working%2C%20however%20internally%20I'm%20not%20getting%20the%20seamless%20sso%20experience%20I%20was%20expecting%2C%20i.e.%20I%20still%20have%20to%20enter%20a%20UPN%20at%20which%20point%20I%20am%20then%20authenticated%20through.%26nbsp%3B%20I%20can%20see%20in%20the%20Azure%20AD%20sign-in%20logs%20that%20Seamless%20SSO%20was%20used%2C%26nbsp%3B%20however%20before%20cutting%20our%20Org%20fully%20from%20federated%20to%20managed%20I'd%20like%20to%20test%20how%20the%20experience%20will%20actually%20be%20for%20users.%20Is%20that%20possible%3F%20I%20understand%20that%20due%20to%26nbsp%3B%3CSPAN%3Edomain_hint%20we%20can't%20test%20all%20applications%20including%20exchange%20online%20but%20is%20there%20any%20other%20method%20apart%20from%20just%20hitting%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmyapps.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmyapps.microsoft.com%2F%3C%2FA%3E%20via%20a%20private%20browser%20session%3F%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1065194%22%20slang%3D%22en-US%22%3ERe%3A%20Staged%20rollout%20to%20cloud%20authentication%20now%20in%20public%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1065194%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20we%20found%20out%20that%20a%20lot%20of%20our%20students%20were%20still%20using%20their%20initial%20temp%20password%20(which%20can't%20be%20synced).%20We%20are%20still%20trying%20to%20figure%20out%20why%20they%20weren't%20forced%20to%20change%20their%20initial%20the%20password%20in%20the%20first%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20looking%20forward%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%23public-preview-of-synchronizing-temporary-passwords-and-force-password-on-next-logon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%23public-preview-of-synchronizing-temporary-passwords-and-force-password-on-next-logon%3C%2FA%3E%20but%20the%20info%20is%20still%20unclear%20on%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

 

Im excited to announce that the staged rollout to cloud authentication is now available in public preview. This feature allows you to migrate your users’ authentication from federationvia AD FS, Ping Federate, Okta, or any other federation on-premises systemto cloud authentication in a staged and controlled manner. More than 100 customers have used this feature to successfully cutover to cloud authentication during our private preview.

 

Moving your Azure AD authentication from federation on-premises to the cloud allows you to manage user and device sign-in from your control plane in Azure AD. Youll benefit from reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the internet. You won’t need to worry about patching of servers, availability and reliability of the authentication service, or managing ports on a firewall. In addition, you could also use staged rollout to move from a federated cloud identity provider to Azure AD authentication.

 

This helps you to avoid a cutover of your entire domain and selectively testing on a group of users to use cloud authentication capabilities like Azure Multi-Factor Authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others.

 

Learn more

 

`

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division 

25 Comments
New Contributor

Very cool. We are on the edge of dooing a cutover migration, but now we can try it out in the production enviroment before the cutover :)

Alex Simons (AZURE)   are there any concerns of enabling the staged rollout in a production tenant?
(It is a preview feature), but if only it is the experience of an migrated user that "may be" impacted of the preview statement. then i have no concerns? 

@Micki Wulffeld - Yes, this is meant for production use and is only applied to the user who is enabled for staged rollout and not the entire federated domain. We had close to hundred customers who did this during private preview before they could cut over. You can reach out to me at jitheshr@microsoft.com if you have any questions.

Contributor

We already have our O365 auth switched to Passord Hash/SSO, however we still have  ton of 3rd party SAAS apps (ServiceNow for example) using ADFS, however they are setup to go to to the on-prem ADFS server directly, so in that cause I would not be able to use the Staged rollout since I have to work with the SAAS vendor to point to Azure AD instead of our ADFS server?  If so is there an easy way to migrate that?

Occasional Contributor

Does this apply if we wanted to migrate just from on-prem MFA server to the Azure cloud MFA? Are there any other requirements / prerequisites for doing this so the user will NOT have to re-register for MFA (keep the same user settings as configured on the on-prem MFA server) ? And the same question that Daniel Schmidt applies as well.

@Daniel - yes this is not used for ADFS federations of apps. The feature is to only help you with Cloud Authentication of your Office 365 RelyingParty. After using staged rollout for a group of users, it would easier for you to switch from Office 365 federation with ADFS to cloud authentication. For migrating your apps from ADFS to AzureAD - look at this space

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure

@Cristian Calinescu   - If you are using Azure MFA sever, then moving the user to staged rollout will block the user as mentioned in our docs. You will need to move users off of MFA server to Azure MFA before using staged rollout for testing cloud authentication. This scenario is also something we highlight when considering cloud authentication. Any on-premises dependencies needs to be handled before considering cloud authentication.

New Contributor

 

Now we activated it, we found that when typing https://webmail.ourdomain.dk Or just http://mail.outdomain.dk , that are CNAME to outlook.com, we end up with our adfs server as sign in method, for users that are stage migrated.

So the domain conversion MS are doing is not redirecting to Cloud auth. (preview problem i guess)

 

Thought it is working if you convert the whole domain ( i tested in our test tenant)

@Micki Domain_hints and HRD acceleration policies which are supplying domains hints are not supported with staged rollout. We documented it. Unsupported Scenarios These scenarios are not supported for staged rollout: Certain applications send the "domain_hint" query parameter to Azure AD during authentication. These flows will continue and users enabled for staged rollout will continue to use federation for authentication.
Occasional Contributor

  

Occasional Contributor

@Jithesh Raj (JR)- So, if we move the users from the on-prem MFA server to Azure MFA, that would mean that the users will need to re-register. That's exactly what we're trying to avoid, and would like to migrate the users to Azure MFA without having to re-register. Thought that Staged Rollout would help us achieve this.

@Cristian Calinescu -  Cloud Authentication (PHS/PTA) does not support Azure MFA Server and this is something we have documented. Staged Rollout is about helping you migrate users from federated IDP to Cloud Authentication ant not MFA migration. 

 

 

Occasional Contributor

@Jithesh Raj (JR)  - That is the main reason we want to migrate to Azure MFA (cloud), to be able to switch to modern authentication, but the main problem is that we don't want to have to cut off the users from Azure MFA Server(on-prem) and re-register all users to Azure MFA. And, currently there is no migration path for migrating users from on-prem MFA to Azure MFA. Hopefully Microsoft will provide some guidance in this scenario or develop a tool which will help with this kind of migration. Thank you for your reply, much appreciated!

Regular Visitor

This is awesome news. My Org is coming up quickly on cutting over to Cloud Authentication, so this preview is a huge win for us. I'll be completing the necessary setup this week and testing with some of our IT staff.

New Contributor

If anyone are provisioning disabled user with [Must change pw nxt logon] AD Flag, and activating them later, you might run into PasswordHashSync problems.
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/PowerShell-Basics-How-to-Force-a-Full-Passwor...

Regular Visitor

I enabled this feature today as per the video guide, it still redirects to ADFS authentication page when using my account.

 

My user account was added to a security group sync'd from on-prem, is it a requirement to use a 365 security group?

New Contributor

clipboard_image_0.png

@Jithesh Raj (JR) 

Are anyone seeing this same experience? Suddently everyone is disabled from staged rollout feature. I cant trace any admin who could had done this. and just before the feature is removed, the Azure AD Application proxy ( witch we have not installed yet) updated same users???

clipboard_image_0.png

Regular Visitor

follow up from my last post, the process just took time to take effect i tried this morning and my account now uses cloud authentication using password hash.

New Contributor

This morning everyone are enabled again for staged rollout  ?

@Jithesh Raj (JR) was there any issues regading this behaviour?

And again the coloumn : initiated by actor is empty, so its must be a "system" (behind the scenes) user who did this

 

clipboard_image_0.png

Super Contributor

When our users try to log on after being added to the staged rollout, they receive an error "Invalid username or password or Invalid on-premise username or password." 5 or 6 times (or minutes) before they can log in successfully.

 

Not all users are facing this issue.

Occasional Visitor

Awesome Jithesh. thank you for sharing such an useful info

Frequent Visitor

Hello, I successfully started staged rollout, I wanna dismiss ADFS authentication (5 domains Federated in the same tenant) and move to PHS+Seamless SSO. I did't find anything about how to correctly cutoff ADFS while all users will be staged out.

I am plannning to move gradually domain by domain (creating a specific migration group with users of each domain) by Staged Rollout ... and when all users have been tested which I suppose the next steps are

- run Set-MsolDomainAuthentication -Authentication Managed -DomainName <domain name> for each rolled out domain

- remove the migrated group from Staged Rollout wizard

- when all federated domains are migrated, turn off Staged Rollout Features
Is it correct to totally decommission Federated Authentication after Staged Rollout?

Thanks in advance

 

@MassV  -  Your plan looks accurate. When you turn off staged rollout, remove the groups from staged rollout and then turn off using the ON/OFF sliders.

@bart vermeersch  - The issue looks to be with Password Hash Sync and not staged rollout. Use out PHS troubleshooting tools mentioned here
 
Occasional Visitor

We have enabled Staged rollout using PHS & Seamless SSO. 

 

PHS is working, however internally I'm not getting the seamless sso experience I was expecting, i.e. I still have to enter a UPN at which point I am then authenticated through.  I can see in the Azure AD sign-in logs that Seamless SSO was used,  however before cutting our Org fully from federated to managed I'd like to test how the experience will actually be for users. Is that possible? I understand that due to domain_hint we can't test all applications including exchange online but is there any other method apart from just hitting https://myapps.microsoft.com/ via a private browser session? 

 

Thanks

Super Contributor

Thanks, we found out that a lot of our students were still using their initial temp password (which can't be synced). We are still trying to figure out why they weren't forced to change their initial the password in the first place.

 

We are looking forward to https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron... but the info is still unclear on that.