Hey everyone, I'm about to fully move away from our ADFS setup this week and I'm hoping to get some input on my plan to ensure I haven't overlooked anything. Here's what I've done so far:
1. Migrated all third-party services relying on ADFS for SSO to Azure Enterprise Apps/App Registrations.
2. Configured the ADConnect server to upload user account password hashes to Azure.
3. Set up a staged ADFS migration in Entra, created multiple defederation security groups in the cloud, and successfully added over 2000 users in batches of 500, linking them to the staged migration in Entra.
4. Shut down the ADFS servers more than a month ago without any issues for users logging in.
The final step is to perform the actual defederation of the tenant. From what I gather, it seems pretty straightforward using a few PowerShell commands:
# Connect and authenticate
Install-Module -Name AzureAD
Connect-AzureAD
# Check current configuration
Get-AzureADDomain -Name yourdomain.com
# Set the new configuration
Set-AzureADDomainAuthentication -DomainName yourdomain.com -AuthenticationType Managed
# Confirm the change & check that it now shows as "Managed"
Get-AzureADDomain -Name yourdomain.com
Does this approach look correct for anyone who has gone through a similar process? Also, I noticed the small green pin next to users' accounts in Entra has turned grey, which has no apparent impact but I'd love to understand why this is happening. Any insights would be greatly appreciated!
6 Answers
You're definitely going to want to incorporate Graph for these tasks now that you're moving away from ADFS.
Just a heads up, I removed federation completely across my tenant once, and it caused all users to lose their sign-in methods for about 25 minutes during a full AAD sync. We didn’t use staged defederation, but it’s worth considering that possibility.
Make sure to carefully evaluate the authentication method for each app. Personally, I stick to SAML for external apps and prefer OAuth 2.0 for internal ones. It’s just easier to manage secrets securely that way. Plus, with external SaaS apps, I'm not always sure where my secrets end up.
Check out the Microsoft docs at adfshelp, but be cautious; that site has been discontinued and they’ve moved all resources to the Learn docs. Just a quick tip!
I’d watch out for using Msol commands; they’re deprecated and likely won’t work anymore. You should switch to MS Graph cmdlets instead. If you’re up for a challenge, using `Invoke-RestMethod` for direct Graph API interactions is another route, but that’s quite a leap from Msol commands. Just a heads-up on that!
Totally agree, I also saw the same thing with some outdated docs. Make sure you’re using the latest cmdlets!
Yeah, that's definitely important to keep updated documentation in mind going forward.
Good reasoning! Leaked secrets can be a real pain; SAML typically feels a bit more secure against exploitation.