Hi @user20201 • Thank you for reaching out.
You need to take care of below considerations:
- You must have abc.xyz.com added as a verified domain in your Azure AD tenant.
- Users must be synced from on-premises AD to Azure AD with UPN like username@jaswant .xyz.com.
- You must have Password Hash Sync enabled in AD Connect (as highlighted below) and make sure the passwords are syncing successfully by checking Application event logs on AD Connect server.
- Run
Set-MsolDomainAuthentication -Authentication Managed -DomainName <domain name>
on ADFS Server to convert authentication from Federated to Managed. - If you are using a federation server other than ADFS, you will need to use Set-MsolDomainAuthentication cmdlet for this purpose.
Expected behavior once the above steps are done: Users sign-in by using username@jaswant .xyz.com, they will no longer be redirected to on-premises federation server based on abc.xyz.com domain suffix in the UPN and authentication will directly take place via Azure AD tenant where username@jaswant .xyz.com is added as verified domain.
Since our Azure AD Connect is enabled for syncing, do we still need to migrate the users from Active Directory to Azure AD?
If users are already synced, there is no need to perform any sort of migration from Active Directory to Azure AD.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.