Since pass-through Authentication is GA and the major limitations are gone, I decided to change my Azure AD authentication against my local AD from ADFS to pass-through provided with Azure AD Connect.
For those who are not that familiar with the concept of pass-through authentication, on this Microsoft Article “How it works”, you will find all the information. The picture below is from this article as well.
After a long time with ADFS, because of the enhanced SSO experience for On-Premise users, I wanted to get rid of ADFS, as soon as it can be replaced. See the following steps I’ve done to get from ADFS to Pass-Through authentication.
I started on a new Server, because I wanted to install Azure AD Connect from scratch. With the Staging Mode option, you have the opportunity to install and configure your synchronization engine before it starts its engines. So I prepared the new Azure AD Connect Server with the following Options:
With this, I was ready for the cut-over, be aware the next step can bring some outage to the login experience of the users! This is due to the fact, that all users need to be converted from federated to standard.
It only requires two powershell commands, but again plan this well, and don’t use this commands within business hours.
After connecting to the Azure AD tenant, the first powershell command required is to set the ADFS context to the used ADFS Farm, since we run the command on the new Azure AD Connect Server:
Set-MsolADFSContext -Computer hosebeiewms01.deheim.hosebei.ch
The second command will convert the federated domain to a standard domain, where the password synchronization or the pass-through feature can be used. The execution time of this command really depends on the amount of users, that needs to be converted. Within a project last year, it took about 4 hours to convert 2400 users. If you plan a huge migration, I would recommend to get in contact with Microsoft to check options for reduce the amount of time.
Convert-MsolDomainToStandard -DomainName hosebei.ch -SkipUserConversion $false -PasswordFile C:\temp\passwords.txt
Afterwards, I was able to login immediately with pass-through Authentication and was not redirected to my lovely ADFS Page. But I was required to reauthenticate on services like OneDrive for Business, my Mail Client on the SmartPhone and so on.
I highly recommend to use the full advantage of pass-though authentication by easily increase the redundancy of the server and installing more connectors. You can download additional connectors by a click on “Pass-through authentication” within the Azure Portal (see screenshot above).
For more information about security, see this “Azure Active Directory Pass-through Authentication security deep dive” Article.