The huge amount of pre-work and the required lift and shift might be enough to deter you from even considering moving to another SSO provider, despite the cost and time benefits of Azure AD SSO in the long run. But fortunately, Azure AD has a feature to help make this move quite a bit easier: staged rollout.
AzureAD – Staged rollout
Staged rollout allows you to disable federated authentication and use either password hash sync or pass-through authentication for a subset of your Azure AD tenant. This lets you pilot using Azure AD SSO with Office 365 (and any applications you register with Azure AD) with a much smaller group. All features such as Azure MFA, Conditional Access, and Identity Governance work in staged rollout mode, allowing you to comprehensively test using Azure AD fully for SSO before switching over more users.
If you are also working on having your organization enroll in Azure MFA, using staged rollout with smaller application populations allows you to target enrollment to specific users (smaller populations) at first. This approach makes the required change management a much easier effort.
Next, you need to determine which population(s) you want to switch to native cloud authentication first. You can configure up to 10 security groups to use staged rollout. Each group can contain up to 50,000 members, although you must add a group to staged rollout before populating it with more than 200 members. Unfortunately, nested and dynamic groups are currently unsupported (as of June 2022). However, it is easy enough to use the bulk import feature to import a list of users to a group in Azure AD.
If you have multiple Azure AD domains, you might want to break out the groups by domain, with each domain containing a subset of the population to test out native Azure AD SSO. Note that you can switch over individual domains to managed/cloud authentication while still using staged rollout for the remaining domains.
At some point you will have enough users migrated to Azure AD SSO and you will transition from using staged rollout and federated authentication to full password hash sync or pass-through authentication. When considering the cutover threshold, keep in mind that any remaining users may be prompted to enroll in Azure MFA (depending on your policies) and will need to re-sign in to their Office 365 apps. But at this point, staged rollout has helped get most of your users to the final state.
Staged rollout can help make your transition to Azure AD SSO quite a bit easier. It decreases your risk by allowing a slow, testable rollout instead of one big all-or-nothing switch. When you combine using staged rollout with a repeatable process for app migrations, what seemed like an impossibly daunting task with no starting place can be fully accomplished in smaller, easier-to-migrate sets of applications and users.
As part of staged rollout would like to enable Seemliess SSO,was wondering if I enable Seamless SSO on my domain via powershell ( Enable-AzureADSSOForest -OnPremCredentials $creds) would this cause any disruption / issues with the current federation method?
I understand you were in the process of staged rollout. staged rollout doesn't switch domains from federated to managed. You still need to make the final cutover from federated to cloud authentication by using Azure AD Connect or PowerShell.
You can enable seamless SSO and it is triggered only for users who are selected for staged rollout and it won't affect your existing federation setup. Kindly go through the below documents to get a detailed information.
We believe that a successful transition to cloud-based services hinges on a well-designed identity strategy. The cloud can empower creativity and productivity. But only if authentication is secure and services are easy to access. In our roles as the IT Manager at Mitsui and Project Manager at Mitsui Knowledge Industry, we needed to migrate user authentication off Active Directory Federation Services to support our digital transformation goals. Azure AD staged rollout simplified the process for users and IT administrators.
Azure AD Staged rollout gave us the tools to implement a well-planned cutover. Once we set up modern authentication and Conditional Access, we created a test environment and split our users into groups. We tested our implementation of Azure AD with small groups. We evaluated how each step affected users and made changes as we went. This process simplified testing for our IT administrators.
Microsoft says that staged migration lets organizations test the changes with select users without changing domain federation settings. Keep in mind that the staged rollout can target up to 500,000 users. You can learn more about the MFA Server Migration Utility on this support page.
Step forward, staged rollout. A feature designed to "test" cloud authentication without fully decoupling your federated domains. Less risk to the business and assurance that cutting ties with federation will go smoothly when done post-staged rollout. Ideal!
The point of staged rollout is to define a small pilot group and be able to test cloud authentication for O365 services whilst production users can happily work away in the background with their federated identity unaffected.
Upon completing the pre-requisites and enabling staged rollout, our "pilot users" were unable to authenticate. The authentication experience was changing to cloud authentication but the passwords were failing. Password Hash Sync was enabled in Azure AD Connect but the cloud platform didn't appear to "know" the passwords.
Starting today, January 15, Microsoft is starting its planned rollout of its Chromium-based Edge browser. As officials previously indicated, the rollout of the new Edge (or "Chredge," as some of us have nicknamed it) will happen in a staged way starting today and continuing over the next few months. Today, Microsoft is making the first release of the Stable channel (Edge 79) of the new Edge available to consumer, education and business-user "seekers" only. Windows 7, Windows 8.X, Windows 10 and macOS users can download it manually from starting today. Chredge is available immediately in 90 languages. (Microsoft also has rebranded its Edge browsers on iOS and Android to match the logo/branding of the new Edge, but these mobile Edge variants are already available in final form and independent of the new desktop Edge browser which is being released today.)
This particular AD FS configuration (FBL 4) change allows you to select an authentication provider based on group membership. You can use AD FS for Windows Server 2016 which is FBL 3, but it will not be seamless and users will be prompted to manually select their authentication provider under the FBL 3 setting. This is important to move to FBL 4 so that we can use groups to handle staged-rollouts (POC) for testing purposes. Check out the links at the end of this article to get the full Prerequisistes breakdown on the migration path.
It is our recommendation to try and move away from using federated authentication for M365. This may seem like a difficult task however Microsoft have made it much less painful with the ADFS migration toolkit and the new ability to stage Cloud-Managed Authentication to specific groups of users. See: -us/azure/active-directory/hybrid/how-to-connect-staged-rollout 2ff7e9595c
Comments