Clarification on Staged rollover of Azure Pass through authentication

Andy Langton 1 Reputation point
2022-06-10T13:11:04.11+00:00

Hello, I am currently in the process of eventually migrating my organization off of ADFS onto Azure PTA and am following Microsofts guide:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/migrate-from-federation-to-cloud-authentication

There are a couple of things that are not clear to me in the guide, if anyone has experience with them I would greatly appreciate any insight.

I currently have enabled PTA + Seamless SSO in staged rollover mode and have enabled it for a few of our users. I have checked the Azure sign in logs for those users and I have verified that their sign ins are now using PTA. I have PTA agents on two servers so far.

What is unclear to me in the document, is in the section titled "using staged rollover", the next step in the guide after you have enabled staged rollover and tested it is to convert the domain to managed from federated using Powershell. This means I would be skipping all of the Azure AD connect config sections mentioned. Is this actually correct as the guide suggests, I think I would still need to perform the actions in "Option B" correct? Otherwise my Azure AD connect server would never be configured to set the tenant to use pass through authentication.

Ultimately I would like a PTA agent to be installed on my Azure AD connect server. But based on that guide it looks like that is not going to happen. If I do make the changes in Azure AD connect to enable pass through authentication and seamless SSO there, will that interfere with the PTA and seamless SSO config that I have already done as part of the staged rollover setup?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,093 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Eric Woodruff 266 Reputation points
    2022-06-12T02:19:14.957+00:00

    The docs for staged rollout aren't entirely clear as they tend to leave that key piece of information out.

    If you re-configure within Azure AD connect server, that will alter the settings tenant wide; once switched over to PTA via Azure AD connect, you can just disable the staged rollout settings in your tenant.

    Usually, when you enter a UPN into the Azure AD sign-in screen, it evaluates the UPN suffix (@keyman .com) to determine how to route authentication for your password; this is also known as home-realm discovery (HRD). With staged rollout, instead your tenant evaluates the entire UPN, which is how it's able to send certain people to PTA and certain people still to AD FS.

    Once you re-configure your tenant in Azure AD Connect for PTA, regardless of whether users are in staged rollout or if it's all the rest of the users in the tenant (aside from cloud-sourced users), PTA will be the authentication mechanism regardless. After that change, you can just go disable the staged rollout for PTA in Azure AD; the entire tenant will be changed to just evaluate UPN suffix (@keyman .com) for HRD and everyone will be using PTA.

    1 person found this answer helpful.
    0 comments No comments