Sharepoint 2016 changing authentication from ADFS to Azure AD

Question

question

gopan asked Nov 17, '20 ThomasLi-0029 commented Sep 9, '21

Sharepoint 2016 changing authentication from ADFS to Azure AD

We have Sharepoint 2016 Environment On-Premise and we are changing from ADFS to Azure AD.After creating Enterprise application on Azure AD ,we configured the parameters on Sharepoint and while trying to login ,sharepoint saying "you dont have permission to access the site"
We could add manually the users and then they can access the site but is there any method to do auto mappings of profile on adfs to azure AD as we have some 600 users
Azure ad has got all the users added .
Any help appreciated

office-sharepoint-server-administration

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

gopan · Nov 18, 2020 at 04:05 AM

We followed the same procedure listed below
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial...
Our aim is to have the On-Premise Sharepoint accessible for internal users with UPN .Currently they are with ADFS and we need to change the authentication to Azure AD.Do we have to use Azure Active Directory Connect to sync the users so that they will have all the privilege as same of ADFS account ?Do we have to create a sync connection with Azure AD on Sharepoint -On Premise?
right now users could access if we add manually those users to Sharepoint but its like adding a new user so they will get new profile with azure AD Claim
Kindly help to identify the right procedure

0 ·

Answer 1 · 2020-11-20T18:16:51.707Z

trevorseward answered Nov 20, '20 ThomasLi-0029 commented Sep 9, '21

To migrate profiles from one identity provider to another, you would use Move-SPUser.

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

gopan · Nov 20, 2020 at 06:21 PM

More-spuser will be better as you said ..it will reatin the permissions too ....hope that will solve the issue
Hope that can be used to convert adfs claim to azure ad claim for the users
Have you got any article for the step by step document..if so kindly forward or guide me
I hve the command ...like below

$user=get-spuser -web "SITELINK" -identity "adfs"
Move-spuser -identity -NewAlias "azuread" -ignoresid

So it will change the claim and hope for workflow and all previous access will reamin same as it will not change the Sharepoint ID...hope that will work

Hope it will affect only the webapplication against which we are using move-spuser
We have other webapplications which will still use ADFS authentication
Thansk & Regards
Gopan

0 ·

gopan · Nov 22, 2020 at 01:05 PM

Tried Move-spuser without profile sync from Azure Ad
After that Azure AD user can login but again it will be a new profile as his old favourites settings changed when he logged on with Azure AD profile and also cannot see his old taks

0 ·

gopan gopan · Nov 23, 2020 at 08:18 AM

Tested again with Move-spuser but its creating with another profile so that workflow taks are not appearing ...old tasks which was created with adfs taks. -ignoresid flag will use the same ID after moving the user to different identity provider right?
Any help to solve the above?
In order to minimise the issues can we use Convert-spwebapplication ..??
Thanks & Regards
Gopakumar

0 ·

ThomasLi-0029 · Sep 09, 2021 at 11:57 AM

HI Trevor,

i am exactly in the same situation. i use the move-spuer already, so user can login to the SP with azure ad account now. However, the new issue now is when users try to share documents, and search name in the people picker, there are 3 items for each search: 1. the old one:i:0#.w|domain\username 2. a user: c:0-.t|azureadtrust|user name 3. a role: c:0-.t|azureadtrust|thomas

Is ther anyway to configure the people picker?

Thanks a lot!

0 ·

Answer 2 · 2020-11-18T08:00:19.957Z

itchsun-msft answered Nov 18, '20 gopan commented Nov 20, '20

Hi @gopan

After establishing the connection between Azure AD and SharePoint, if users in Azure AD need to access SharePoint, they still need to be added.

You don't need to manually add users one by one, you just need to put all users in a group in Azure ad, and then add this group in SharePoint.

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

gopan · Nov 19, 2020 at 02:22 AM

Yes Thanks for the reply/guidance ...we could do group wise also but the problem here users autheticated with ADFS before and they have their own tasks and workflow on their ADFS account and their user profiles too.Once they are moved to Azure AD ,then all of the users are added with new profile ..and their old tasks which were with ADFS not showing up on their profile .

Is there any way to map ADFS and Azure AD so that users will feel the same once they login with Azure AD account?
Thansk & Regards
Gopakumar

0 ·

gopan gopan · Nov 19, 2020 at 02:41 PM

could we do like the one mentioned in below article?
https://samlman.wordpress.com/2015/03/01/mapping-user-profiles-for-saml-users-with-an-ad-import-in-sharepoint-2013/
Its basically another userprofilesync and sync teh AAD users and map the account to be with UPN
Thansk & regards
Gopakumar

0 ·

gopan gopan · Nov 20, 2020 at 11:35 AM

Gone through articles and got some clues in achieving above

1 Convert-spwebapplication ...is that only to be used from windows claim to other trusted or we can use the smae for above mentioned ?
2 AZURECP beleive this is only for people picker rectification ??
3 New-spclaimsprincipal command to create new claim for the existing users .......but don't know whether it will change the existing ones or create a totally new profile for user.
Searched for documents but very difficult to get the steps...

We have 4 webapplication and one mysite webapplication for all users and all users are with ADFS Now.Can we have the same mysite link which is linked to ADFS profiles after changing to Azure AD?
Kindly Advise
Thanks & Regards
Gopakumar

0 ·

question