This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 69%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER7%3C/text%3E%3C/svg%3E)
We have federated Azure AD and are using PHS. I added cloudflare enterprise application, but when we login to that app user is getting redirected to on-prem ADFS. Should a user not get authenticated directly in Azure without being redirected to ADFS for an application registered in Azure. I can see the sign-in attempts under the enterprise application though.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 45%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
What is the username a user type? Is that domain still federated? For example, if user name is jai@Company portal .com and contoso.com is still federated, this could be one reason, user gets redirected to ADFS.
Run command - Get-MSOLFederationProperty and see if the domain still shows as federated.
@Jai Verma User type is member, and Domain is federated. If authentication request still has to reach on-prem adfs server after registering the application in Azure, how are we supposed to migrate applications 1 by 1 and use Azure AD as IDP.
The only option I can think of is adding users to the group under this option
Name Status Authentication
---- ------ --------------
contoso1.mail.onmicrosoft.com Verified Managed
contoso1.onmicrosoft.com Verified Managed
aab.contoso.com Verified Federated
abc.contoso.com Verified Federated
contoso.com Verified Federated
sdf.contoso.com Verified Federated
edc.contoso.com Verified Federated
qwe.contoso.com Verified Federated
qsc.contoso.com Verified Federated
qs.contoso.com Verified Federated
It is possible for an application de force a fresh authentication. In that case, that auth flow would go back all the way to ADFS.
Could you capture a Fiddler trace during one of these redirections?
@Pierre Audonnet - MSFT here is the fiddler trace. I am not sure what i need to specifically check. This test account is part of the SSPR enabled group but has not registered authentication methods which is why you will see mysign urls, as after authentication AzureAD asks for more information.
Need the query strings (URL parameters).
It depends ofcourse who your identity provider is with this new enterprise application. Contact the owner of the application and verify the SAML settings. It might be pointing to ADFS instead of Azure AD. And also, if your domain is federated and you have enabled password hash sync, the password hash sync will not be used until you convert the domain to a standard domain or use Azure AD staged roll-out.
@Mr Sbaa So salesforce is configured to uses single sign-on and the login is happening after we click the Azure tab at the login screen which redirects it to Microsoft login page customized with our logo and after entering the upn/email there it redirects to on-prem adfs.
Below is how single sign-on is configured on salesforce end.
So if understand you correctly I have 3 options
I can confirm last option works as my own account is part of staged roll-out but the test account is not. And I was expecting with enterprise app we would not need staged roll-out.
I don't know if federation/adfs has its uses after migration as that is not my area of expertise, but still it be good to know.
You understand it correctly now.
Microsoft recommends to move away from ADFS and use PHS or PTA. I would say stick to staged rollout + migrate your apps one-by-one for a smooth transition. Once you have no apps anymore linked to ADFS, you can convert your domain from federated to standard and decomission ADFS. Keep in mind that if you are not using AAD staged roll-out, password hash sync will only be used as fallback and that any user authenticating will always go to ADFS first because your domain is federated.
@Pierre Audonnet - MSFT thanks for editing the screenshot. Here is the screenshot from claims x ray. But I made a change before I tested this even for salesforce. I removed the test account from the group included under password reset. And I don't see redirection happening to on-prem adfs any more. So does that mean because the test account is part of this group it is being forced to reauthenticate.
Also i see we have a group with few users under password hash sync for staged roll out but there is none under single sign-on
