Since pass-through Authentication is GA and the major limitations are gone, I decided to change my Azure AD authentication against my local AD from ADFS to pass-through provided with Azure AD Connect.
For those who are not that familiar with the concept of pass-through authentication, on this Microsoft Article “How it works”, you will find all the information. The picture below is from this article as well.
After a long time with ADFS, because of the enhanced SSO experience for On-Premise users, I wanted to get rid of ADFS, as soon as it can be replaced. See the following steps I’ve done to get from ADFS to Pass-Through authentication.
I started on a new Server, because I wanted to install Azure AD Connect from scratch. With the Staging Mode option, you have the opportunity to install and configure your synchronization engine before it starts its engines. So I prepared the new Azure AD Connect Server with the following Options:
With this, I was ready for the cut-over, be aware the next step can bring some outage to the login experience of the users! This is due to the fact, that all users need to be converted from federated to standard.
It only requires two powershell commands, but again plan this well, and don’t use this commands within business hours.
After connecting to the Azure AD tenant, the first powershell command required is to set the ADFS context to the used ADFS Farm, since we run the command on the new Azure AD Connect Server:
Set-MsolADFSContext -Computer hosebeiewms01.deheim.hosebei.ch
The second command will convert the federated domain to a standard domain, where the password synchronization or the pass-through feature can be used. The execution time of this command really depends on the amount of users, that needs to be converted. Within a project last year, it took about 4 hours to convert 2400 users. If you plan a huge migration, I would recommend to get in contact with Microsoft to check options for reduce the amount of time.
Convert-MsolDomainToStandard -DomainName hosebei.ch -SkipUserConversion $false -PasswordFile C:\temp\passwords.txt
The generated password file is valid, in the meaning of, that the passwords are set within Azure AD, but are not used as long as pass-through authentication is configured:
Afterwards, I was able to login immediately with pass-through Authentication and was not redirected to my lovely ADFS Page. But I was required to reauthenticate on services like OneDrive for Business, my Mail Client on the SmartPhone and so on.
I highly recommend to use the full advantage of pass-though authentication by easily increase the redundancy of the server and installing more connectors. You can download additional connectors by a click on “Pass-through authentication” within the Azure Portal (see screenshot above).
For more information about security, see this “Azure Active Directory Pass-through Authentication security deep dive” Article.
4 thoughts on “Azure AD – Change from ADFS to pass-through Authentication”
Is there a way to do this one user at a time as we want to test it before going live
no, as far as I know. Because you need to end the federation for a whole UPN-suffix in order to change.
but you can test it with another UPN than your productive one, that might help?
You could have configured the new Azure AD connect Server to use ADFS again, and then change user sign in to Passthrough Authentication. It would have removed the need to convert the domain to Standard manually or set the ADFS Context, no?
If using Passthrough Authentication, can’t you skip the password part?
yes, if you do the change with Azure AD Connect, the password part is obsolete.