Forum Discussion
Changing Azure AD Federation provider
I feel there are two challenges to solve:
- Making sure your colleagues synchronize correctly end-to-end.
- Switching federation with Okta to Azure AD Connect PTA.
The current setup keeps user objects in Active Directory in sync with user objects in Azure AD. To make sure the same objects on both ends are matched end-to-end, I'd recommend hard matching by setting the source anchor attributes on both ends. There's more information on end-to-end matching here. To avoid multiple synchronization engines writing to Azure AD and possible introducing last-write errors, I'd also recommend to use Staging Mode in Azure AD Connect when Okta still actively synchronizes.
From Azure AD's point of view, it doesn't matter which federation solution you use. Whether it's Okta, HelloID or PingFederate, you can use the staged roll-out feature with all of them.
I feel there are two challenges to solve:
- Making sure your colleagues synchronize correctly end-to-end.
- Switching federation with Okta to Azure AD Connect PTA.
The current setup keeps user objects in Active Directory in sync with user objects in Azure AD. To make sure the same objects on both ends are matched end-to-end, I'd recommend hard matching by setting the source anchor attributes on both ends. There's more information on end-to-end matching here. To avoid multiple synchronization engines writing to Azure AD and possible introducing last-write errors, I'd also recommend to use Staging Mode in Azure AD Connect when Okta still actively synchronizes.
From Azure AD's point of view, it doesn't matter which federation solution you use. Whether it's Okta, HelloID or PingFederate, you can use the staged roll-out feature with all of them.
Sander Berkouwer JanBakkerOrphaned Thanks a lot both of you , for the tips & help.
