Azure AD Connect / ADFS – You can now stage your migration from AD FS (preview)

When you are moving to cloud services (in this case Office 365 and/or Azure Active Directory/Azure), it is important that the authentication process is working seamlessly when you are moving away from federated authentication services (AD FS, Okta…) to cloud authentication.

This means you need to be able to test and validate the process.

Until now, this was a quite sensitive and delicate process but now you can start staging your migration from the federated authentication services.

To start, you need of course to use Azure AD Connect to sync your directory (hopefully should be already there) and enable either Password Hash Sync (PHS) with Seamless SSO or Pass-through-Authentication (PTA) with Seamless SSO (additionally you may also have setup your company branding and Self-Service Password Reset (SSPR) and MFA registration).

You need also to have at least one group of users which will be used to target the rollout.

You will then need to use the Azure AD 2.0 Preview PowerShell module (available and for the PTA option only, the Azure AD Connect Authentication Agent ( deployed on at least one Windows Server 2012 R2 or late.

Then you need to logon to your Azure portal ( or Azure Active Directory portal ( to reach the Azure Active Directory\Azure AD Connect blade

image  image

There you will see a new option called STAGED ROLLOUT OF CLOUD AUTHENTICATION you will need to enable

You will have to turn on either the PTA or the PHS option – do not enable both, select the group(s) (up to 10 groups) of users you want to enable the staged rollout and enable the Seamless SSO option

The selection of the group(s) will be available after you have successfully enabled one of the options

image  image

When you turn on either of the options, you will be asked to confirm the operation

image  image  image

For the PTA authentication, the system will validate if at least one agent has been successfully registered; otherwise it will fail


At this stage you are ready to stage your rollout; only users member of the selected group(s) will now be using the cloud authentication while the others will continue to use the federation services for authentication.

Leave a Comment

Your email address will not be published. Required fields are marked *