Can you Migrate from Microsoft Cloud Identity to ADFS

Copper Contributor

Hello,

 

If you start a new full-cloud O365 tenant with Azure AD and Azure ADDS using just the Cloud Identity authentication model, can you later upgrade to using ADFS for authentication?

 

https://docs.microsoft.com/en-us/office365/enterprise/plan-for-directory-synchronization#office-365-...

 

Thank you in advance!

 

Phillip Toynton

 

 

5 Replies

If you have on-prem Active Directory, it would be easier for you to set up Azure AD Connect and sync the users that way. If you don't set up AD FS, you would log in the same way as if the users were created directly in the cloud.

 

Then you could later set up AD FS and reap all the benefits from that. 

 

It's completely feasible to create the users directly in Office 365, then synchronize the users and set up AD FS but it's much easier to just start off with Azure AD Connect in the first place.

Hi Robert,

 

Thank you for the reply.  We're actually planning on moving away from a hybrid environment and we're actively working on not having any on-prem AD servers in-house.

 

We've been in a hybrid environment for over 4 years and our business model has never needed and/or wanted to use the SSO capabilities with ADFS authentication model. 

 

What I want to know is IF we go to full O365 cloud and use Azure to ONLY host a newly created DC (and a fault tolerance DC), and use Cloud Identity for authentication, can we later (6 months? a year? 5 years?) add ADFS, AD Sync and AD Connect?  There is a strong desire to simplify our infrastructure.

 

Phil

Any users created on-prem will be deleted in Azure AD if you stop the sync from AD.

You can set up your servers in Azure, but before removing anything on-prem you need to migrate the PDC to a DC in Azure and set up a new AAD Connect there.

Hi Robert,

 

Again - thank you so much for responding.

 

"Any users created on-prem will be deleted in Azure AD if you stop the sync from AD."

 

But what if I first import them into a O365 environment?

 

We're looking to create a new PDC in Azure (with another for fault tolerance).  My understanding is that if we don't need SSO, we don't have to setup the AD sync / AD Connect or the ADFS farm.  We can just use Cloud Identity to manage our users.

 

Is this not true?

 

Thank you,

 

Phil

Sorry, I might have misspoken. I never had to do this and last time I checked, most people said that it was impossible to break the AD Sync without deleting users but according to this article you can stop the AD Connect synchronization and then you would be able to manage users in Azure AD alone.

https://support.microsoft.com/en-us/help/2619062/you-can-t-manage-or-remove-objects-that-were-synchr...

Fair warning; I have never tried this method before so I'm not 100% sure about the outcome. According to how I read that article you should be able to connect to Azure AD and say that it shouldn't use sync from on-prem and thus be able to edit users previously synchronized.

Thank you for the question, I'm here to learn new things as well as help and this definitely helped me.