Azure AD Connect / ADFS – You can now stage your migration from AD FS (preview)

When you are moving to cloud services (in this case Office 365 and/or Azure Active Directory/Azure), it is important that the authentication process is working seamlessly when you are moving away from federated authentication services (AD FS, Okta…) to cloud authentication.

This means you need to be able to test and validate the process.

Until now, this was a quite sensitive and delicate process but now you can start staging your migration from the federated authentication services.

To start, you need of course to use Azure AD Connect to sync your directory (hopefully should be already there) and enable either Password Hash Sync (PHS) with Seamless SSO or Pass-through-Authentication (PTA) with Seamless SSO (additionally you may also have setup your company branding and Self-Service Password Reset (SSPR) and MFA registration).

You need also to have at least one group of users which will be used to target the rollout.

You will then need to use the Azure AD 2.0 Preview PowerShell module (available and for the PTA option only, the Azure AD Connect Authentication Agent ( deployed on at least one Windows Server 2012 R2 or late.

Then you need to logon to your Azure portal ( or Azure Active Directory portal ( to reach the Azure Active Directory\Azure AD Connect blade

image_thumb  image_thumb[1]

There you will see a new option called STAGED ROLLOUT OF CLOUD AUTHENTICATION you will need to enable

You will have to turn on either the PTA or the PHS option – do not enable both, select the group(s) (up to 10 groups) of users you want to enable the staged rollout and enable the Seamless SSO option

The selection of the group(s) will be available after you have successfully enabled one of the options

image_thumb[2]  image_thumb[7]

When you turn on either of the options, you will be asked to confirm the operation

image_thumb[3]  image_thumb[4]  image_thumb[6]

For the PTA authentication, the system will validate if at least one agent has been successfully registered; otherwise it will fail


At this stage you are ready to stage your rollout; only users member of the selected group(s) will now be using the cloud authentication while the others will continue to use the federation services for authentication.

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies