Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Staged rollout to cloud authentication now in public preview
Published Oct 29 2019 07:25 PM 38.5K Views

Howdy folks,

 

Im excited to announce that the staged rollout to cloud authentication is now available in public preview. This feature allows you to migrate your users’ authentication from federationvia AD FS, Ping Federate, Okta, or any other federation on-premises systemto cloud authentication in a staged and controlled manner. More than 100 customers have used this feature to successfully cutover to cloud authentication during our private preview.

 

Moving your Azure AD authentication from federation on-premises to the cloud allows you to manage user and device sign-in from your control plane in Azure AD. Youll benefit from reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the internet. You won’t need to worry about patching of servers, availability and reliability of the authentication service, or managing ports on a firewall. In addition, you could also use staged rollout to move from a federated cloud identity provider to Azure AD authentication.

 

This helps you to avoid a cutover of your entire domain and selectively testing on a group of users to use cloud authentication capabilities like Azure Multi-Factor Authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others.

 

Learn more

 

`

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division 

45 Comments
Brass Contributor

Very cool. We are on the edge of dooing a cutover migration, but now we can try it out in the production enviroment before the cutover :)

Alex Simons (AZURE)   are there any concerns of enabling the staged rollout in a production tenant?
(It is a preview feature), but if only it is the experience of an migrated user that "may be" impacted of the preview statement. then i have no concerns? 

@Micki Wulffeld - Yes, this is meant for production use and is only applied to the user who is enabled for staged rollout and not the entire federated domain. We had close to hundred customers who did this during private preview before they could cut over. You can reach out to me at jitheshr@microsoft.com if you have any questions.

Brass Contributor

We already have our O365 auth switched to Passord Hash/SSO, however we still have  ton of 3rd party SAAS apps (ServiceNow for example) using ADFS, however they are setup to go to to the on-prem ADFS server directly, so in that cause I would not be able to use the Staged rollout since I have to work with the SAAS vendor to point to Azure AD instead of our ADFS server?  If so is there an easy way to migrate that?

Brass Contributor

Does this apply if we wanted to migrate just from on-prem MFA server to the Azure cloud MFA? Are there any other requirements / prerequisites for doing this so the user will NOT have to re-register for MFA (keep the same user settings as configured on the on-prem MFA server) ? And the same question that Daniel Schmidt applies as well.

@Daniel - yes this is not used for ADFS federations of apps. The feature is to only help you with Cloud Authentication of your Office 365 RelyingParty. After using staged rollout for a group of users, it would easier for you to switch from Office 365 federation with ADFS to cloud authentication. For migrating your apps from ADFS to AzureAD - look at this space

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-adfs-apps-to-azure

@Cristian Calinescu   - If you are using Azure MFA sever, then moving the user to staged rollout will block the user as mentioned in our docs. You will need to move users off of MFA server to Azure MFA before using staged rollout for testing cloud authentication. This scenario is also something we highlight when considering cloud authentication. Any on-premises dependencies needs to be handled before considering cloud authentication.

Brass Contributor

 

Now we activated it, we found that when typing https://webmail.ourdomain.dk Or just http://mail.outdomain.dk , that are CNAME to outlook.com, we end up with our adfs server as sign in method, for users that are stage migrated.

So the domain conversion MS are doing is not redirecting to Cloud auth. (preview problem i guess)

 

Thought it is working if you convert the whole domain ( i tested in our test tenant)

@Micki Domain_hints and HRD acceleration policies which are supplying domains hints are not supported with staged rollout. We documented it. Unsupported Scenarios These scenarios are not supported for staged rollout: Certain applications send the "domain_hint" query parameter to Azure AD during authentication. These flows will continue and users enabled for staged rollout will continue to use federation for authentication.
Brass Contributor

  

Brass Contributor

@Jithesh Raj (JR)- So, if we move the users from the on-prem MFA server to Azure MFA, that would mean that the users will need to re-register. That's exactly what we're trying to avoid, and would like to migrate the users to Azure MFA without having to re-register. Thought that Staged Rollout would help us achieve this.

@Cristian Calinescu -  Cloud Authentication (PHS/PTA) does not support Azure MFA Server and this is something we have documented. Staged Rollout is about helping you migrate users from federated IDP to Cloud Authentication ant not MFA migration. 

 

 

Brass Contributor

@Jithesh Raj (JR)  - That is the main reason we want to migrate to Azure MFA (cloud), to be able to switch to modern authentication, but the main problem is that we don't want to have to cut off the users from Azure MFA Server(on-prem) and re-register all users to Azure MFA. And, currently there is no migration path for migrating users from on-prem MFA to Azure MFA. Hopefully Microsoft will provide some guidance in this scenario or develop a tool which will help with this kind of migration. Thank you for your reply, much appreciated!

Copper Contributor

This is awesome news. My Org is coming up quickly on cutting over to Cloud Authentication, so this preview is a huge win for us. I'll be completing the necessary setup this week and testing with some of our IT staff.

Brass Contributor

If anyone are provisioning disabled user with [Must change pw nxt logon] AD Flag, and activating them later, you might run into PasswordHashSync problems.
https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/PowerShell-Basics-How-to-Force-a-Full-Passwor...

Copper Contributor

I enabled this feature today as per the video guide, it still redirects to ADFS authentication page when using my account.

 

My user account was added to a security group sync'd from on-prem, is it a requirement to use a 365 security group?

Brass Contributor

clipboard_image_0.png

@Jithesh Raj (JR) 

Are anyone seeing this same experience? Suddently everyone is disabled from staged rollout feature. I cant trace any admin who could had done this. and just before the feature is removed, the Azure AD Application proxy ( witch we have not installed yet) updated same users???

clipboard_image_0.png

Copper Contributor

follow up from my last post, the process just took time to take effect i tried this morning and my account now uses cloud authentication using password hash.

Brass Contributor

This morning everyone are enabled again for staged rollout  ?

@Jithesh Raj (JR) was there any issues regading this behaviour?

And again the coloumn : initiated by actor is empty, so its must be a "system" (behind the scenes) user who did this

 

clipboard_image_0.png

Steel Contributor

When our users try to log on after being added to the staged rollout, they receive an error "Invalid username or password or Invalid on-premise username or password." 5 or 6 times (or minutes) before they can log in successfully.

 

Not all users are facing this issue.

Copper Contributor

Awesome Jithesh. thank you for sharing such an useful info

Copper Contributor

Hello, I successfully started staged rollout, I wanna dismiss ADFS authentication (5 domains Federated in the same tenant) and move to PHS+Seamless SSO. I did't find anything about how to correctly cutoff ADFS while all users will be staged out.

I am plannning to move gradually domain by domain (creating a specific migration group with users of each domain) by Staged Rollout ... and when all users have been tested which I suppose the next steps are

- run Set-MsolDomainAuthentication -Authentication Managed -DomainName <domain name> for each rolled out domain

- remove the migrated group from Staged Rollout wizard

- when all federated domains are migrated, turn off Staged Rollout Features
Is it correct to totally decommission Federated Authentication after Staged Rollout?

Thanks in advance

 

@MassV  -  Your plan looks accurate. When you turn off staged rollout, remove the groups from staged rollout and then turn off using the ON/OFF sliders.

@bart vermeersch  - The issue looks to be with Password Hash Sync and not staged rollout. Use out PHS troubleshooting tools mentioned here
 
Copper Contributor

We have enabled Staged rollout using PHS & Seamless SSO. 

 

PHS is working, however internally I'm not getting the seamless sso experience I was expecting, i.e. I still have to enter a UPN at which point I am then authenticated through.  I can see in the Azure AD sign-in logs that Seamless SSO was used,  however before cutting our Org fully from federated to managed I'd like to test how the experience will actually be for users. Is that possible? I understand that due to domain_hint we can't test all applications including exchange online but is there any other method apart from just hitting https://myapps.microsoft.com/ via a private browser session? 

 

Thanks

Steel Contributor

Thanks, we found out that a lot of our students were still using their initial temp password (which can't be synced). We are still trying to figure out why they weren't forced to change their initial the password in the first place.

 

We are looking forward to https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchron... but the info is still unclear on that.

Brass Contributor

Since a 2/3 weeks it looks like staged roll-out is broken; we can no longer add groups/change groups added to staged roll-out for PTA. This happens on different Tenants we control, so it seems a generic issue on the PTA Staged Roll-Out preview. Any date to make staged roll-out GA and have it working again?

@Frank Rijt-van Could you please reach out to us through our support channels with your tenant IDs so that we can investigate. 

Copper Contributor

Does this feature applies if we are migrating from PTA to PHS?

@Martin-AJ  - If you are already using PTA and want to switch to PHS- you need to use Azure AD Connect. This feature is to test Cloud Authentication while you are in a federated state.

Brass Contributor

@Alex Simons (AZURE) @Jithesh Raj (JR) :smile:

Hey guys - how's it going?

Thanks for this doc and videos but I dont see many comments about stage rollout for PTA.

Do I need to deploy the agents if I want to try out PTA or can I do it without them by simply using the Stage Rollout from my Portal? I am on Fed State.

Any docs or videos you can send me please?

Thanks, D

Brass Contributor

@Dolinhas : Also for staged roll-out you need PTA agents installed in your environment to handle the authentication requests. We enabled staged rollout for all our users in a phased approach. When no issues occurred with all the users enabled for staged roll out PTA, we switched from ADFS towards PTA using method B as described by Microsoft in this article: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authen...The migration towards PTA went flawless for all our users (+20K).

Brass Contributor

@Frank Rijt-van 

Thanks for coming back to me - really appreciate you help.

I am glad to hear that your deployment went well - my infra is less than 2K users and computers.

I have a question about the Computer Account and SPNs created during the Stage Rollout:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authen...

 Note

Domain Administrator account credentials are required to enable seamless SSO. The process completes the following actions, which require these elevated permissions. The Domain Administrator account credentials aren't stored in Azure AD Connect or in Azure AD. The Domain Administrator account credentials are used only to turn on the feature. The credentials are discarded when the process successfully finishes.

  1. A computer account named AZUREADSSOACC (which represents Azure AD) is created in your on-premises Active Directory instance.
  2. The computer account's Kerberos decryption key is securely shared with Azure AD.
  3. Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD sign-in.

 

If I decide to cancel the Stage Rollout will those accounts still be in my on-prem AD? If so can these be safely removed?

Also about your migration - did you switch off the Stage rollout slider or how does that part of the portal look after you gone to PTA or PHA?

Any problems you found during the trial or after the full migration?

Thanks, D

Brass Contributor

@Dolinhas: As for your first question: most likely those accounts will stay, but you can safely remove them next to uninstalling the PTA agent(s) if you cancel the staged rollout. After the migration the staged roll-out switch is greyed out as your already on PTA. We didn't encounter any problems. Make sure that your synced accounts all have a UPN that is a verified and registered domain in Office 365. So if your synced users have an on prem UPN like "@domain.local" make sure the have a "@yourdomain.com" UPN if they need to logon to Office 365. 

 

Great improvement is that also on domain password expiration is handled with PTA from the Azure AD logon (unlike ADFS).

 

We encountered no issues during migration.

Brass Contributor

@Frank Rijt-van 

Thanks for that, Frank

My idea is to PTA so my machines get become Hybrid in Azure so I can manage them in Intune.

 

I just realised ... can I use Stage RollOut to sync machines on-prem to Azure AD to they become Hybrid type? or is Stage RollOut just for users?

D

Brass Contributor

@Dolinhas 

 

For newer Windows 10 builds device sync is not needed, they are directly registered in Azure AD (also with Hybrid) by themselves as long as your DNS settings are correct.

 

Fr@nk.

Copper Contributor

 Just about to test the staged rollout, my domain dosn't have Seemless SSO enabled, if i enable this via powershell would this have any affect to my current Ferderated setup? 

 

Thanks 

Brass Contributor

we are going to use "Option B: Switch from federation to pass-through authentication by using Azure AD Connect and PowerShell"

Does this method support phased rollout?

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-pass-through-authen...

 

@Pa_D Yes, Staged Rollout supports PTA as well. 

Brass Contributor

@Jithesh Raj (JR) thanks for your quick reply & apologies if i did not put the question correctly.

When switching to PTA there are 2 options, option 1 uses only AD connect (if ADFS farm was built using AD Connect), option 2 uses AD connect + PS (if ADFS was built outside of AD Connect).

For customers who fall under option 2 category, do we have to first run the poweshell to change the domain from federated to managed before running staged rollout.

 

Thanks in advance.

@Pa_D In either case you just need to do the below

1- Pre-work for PTA Staged Rollout https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout#pre-wor... 

2 - (Optional) Pre-Work for SeamlessSSO - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout#pre-wor...

 

Only when you want to  cutover completely to PTA from Federated state - you would need to Change the Sign-in option in Azure AD Connect to PTA and also run the PS to switch the domain authentication from Federated to Managed since Azure AD Connect is not managing Federation (ADFS ). 

 

 

Copper Contributor

what happens after you switched over, do you still leave the staged rolled out toggles on? 

@ZimTaylor You can remove the group and turn off Staged Rollout after you cutover from federated to managed. There is absolutely no purpose it keep staged rollout enabled! 

Copper Contributor

perfect, i can do that, i'm switching ws-fed identity provider(onelogin, which is similar to okta/pingfed) this weekend to PHS , my worry is that it may reset everyones passwords, is this the case?

@ZimTaylor send you a direct message to catch up over mail

Copper Contributor

thank you, i've just replied 

Version history
Last update:
‎Jul 24 2020 01:31 AM
Updated by: