Hey everyone! I'm shutting down our ADFS setup soon and wanted to run through my migration plan to see if I've missed anything important. Here's what I've done so far:
1. Migrated all third-party services that relied on ADFS for single sign-on to Azure Enterprise Applications.
2. Set up our ADConnect server to upload user password hashes to Azure.
3. Configured the staged ADFS migration in Microsoft Entra, created multiple defederation security groups in the cloud, and added everyone (over 2000 users) to those groups in batches of 500, then linked them to the Staged Migration in Entra.
4. Turned off the ADFS servers over a month ago with no issues reported from users.
The last step is to actually defederate the tenant. From what I've read, it seems like it should be straightforward using PowerShell:
# Connect and authenticate
Install-Module -Name AzureAD
Connect-AzureAD
# Check current setup
Get-AzureADDomain -Name yourdomain.com
# Update setup
Set-AzureADDomainAuthentication -DomainName yourdomain.com -AuthenticationType Managed
# Verify the change
Get-AzureADDomain -Name yourdomain.com
Does that seem correct based on what you've experienced? Also, I noticed that for the past month, while users have been authenticating directly with Azure instead of ADFS, the green checkmark next to their accounts in Entra is now grey. I'm unsure why this happened, but it hasn't affected anyone negatively so far. Has anyone encountered something similar or know the reason behind this? Any advice would be appreciated!
5 Answers
Make sure to evaluate the authentication methods for each application. For external apps, I typically opt for SAML, but for internal applications, I prefer OAuth 2.0. It’s just easier for managing secrets securely, and with external apps, there’s more uncertainty about security.
If you’re seeking additional resources, the old adfshelp.microsoft.com is no longer up. All the troubleshooting has moved to the Learn documentation for AD FS, so that might be worth checking out!
When I removed the federation across our tenant, it caused a temporary sign-in disruption for users—about 25 minutes of no sign-in methods available as AAD was syncing. That might be due to not using staged de-federation, but something to consider regardless!
Definitely look into using the Graph API for these updates—it's more aligned with the future of Azure management.
Just a heads up, Msol commands are now outdated and might not work. You should switch to using MS Graph cmdlets since that's the recommended approach for tenant-level operations now. If you're feeling adventurous, you could also use `Invoke-RestMethod` to directly communicate with the Graph API, but that would be a bigger leap from the standard cmdlets.
Ha! Same here, I was stuck using old commands until I realized they were deprecated. Always good to stay updated!
Exactly! It’s crucial to rely on the most current documentation. Outdated methods might lead you astray, so be sure to check that you're using the latest cmdlets.