[vc_row][vc_column][vc_column_text]Are you ready to switch to single sign-on (SSO) for Azure Active Directory (AD)? Do you want to avoid the hassles of federated authentication for Microsoft 365? Not sure if you should switch over your whole business at once? The cloud authentication rollout for Azure AD could be the answer.

Environment to Azure Active Directory (AD) SSO

Azure Active Directory Single Sign-On (SSO) and Azure multi-factor authentication are available at all tiers, including the free tier (with some restrictions) (MFA). Microsoft Azure Active Directory is a highly developed SSO platform that can be integrated with almost all SAML and OIDC relying on parties. Even if you use another IdP (through federated authentication, for example) to log in to Microsoft 365, Azure AD can still be the IdP for relying parties. Compared to the prices of other commercial SSO providers or the resources needed to run an open-source SSO platform, Azure AD SSO offers a very competitive SSO.

It’s not easy to switch to a different SSO platform. The majority of application programmes do not enable using multiple identity providers. There may also be a switch to a new MFA provider your IdP already supports (e.g., Azure MFA with Azure AD SSO). Most people in your organisation probably use an organisation-wide app like Office 365. Changing everything about how your users log in at once will significantly affect them.

Even though Azure AD SSO will save you money and time in the long run, you might want to avoid switching to another SSO provider because of the enormous amount of prep work and the need to lift and shift. But luckily, Azure Active Directory has a feature called “staged rollout” that makes this move much easier.

Azure Active Directory Staged Rollout

With a staged rollout, you can turn off federated authentication on the part of your Azure AD tenancy and use either password hash sync or pass-through authentication. So, you can test Azure AD SSO with Office 365 (and any other apps you register with Azure AD) with a smaller group of your organisation’s users. Before switching over more users, try using Azure AD for SSO with all its features, such as Azure MFA, Conditional Access, and Identity Governance.

To take this pilot programme to the next level, we might use a staged rollout in which users are moved in stages. There may be software programmes at your company that only a few employees use. To gradually increase the number of users who only use Azure AD SSO, you can register such applications in Azure AD and then add the populations of the applications to staged rollout. It’s important to remember that the phased rollout works on a per-user basis, not a per-app basis. Any apps linked to Azure Active Directory that users use after signing up for staged rollout will act differently.

Using a staggered rollout with smaller application populations, you can immediately enrol some users (smaller populations) in Azure MFA. With this method, it’s easy to manage the changes that need to be made.

Deploying Staged Rollout

First, you must set up Azure AD Connect for password hash sync or deploy the Azure AD Connect Authentication Agent for pass-through authentication. This task is the same as if you wanted to switch all your tenants simultaneously. But keep how users sign in to Azure AD Connect at this moment.

Next, you need to decide which population(s) you want to switch to native cloud authentication first. You can set up a staged rollout to work with up to 10 security groups. Each group can have up to 50,000 members, but you have to add it to a staged rollout before adding more than 200 people. However, nestled and dynamic groups still need support. But it’s easy to use the bulk import feature in Azure Active Directory to add a list of users to a group.

If you have a lot of Azure AD domains, you may want to divide the groups by domain, with each domain making up a part of the population to test native Azure AD SSO. It’s important to remember that you can switch some domains to managed/cloud authentication while keeping the other domains on a phased rollout.

Enable staged rollout

• In the Azure AD Admin Center, click Azure AD Connect, then choose- “Enable staged rollout for managed user sign-in.”
• Click the switch to turn on Password Hash Sync or Pass-through Authentication.
• You can only choose one or the other—you can’t fly in both modes simultaneously.

Add the groups

• To add the groups you made, click “Manage groups” and then “Add groups.”
• You should see a message in the upper right corner that the groups were successfully added.
• If more than 200 people are in the rollout group, return to Azure Active Directory Groups and add others.

Wait for a few moments. According to Microsoft’s documentation, this change could take up to 24 hours to take effect. However, when new members are added, it takes effect immediately.

Try using an account from the staged rollout group to log in to a site like myapps.microsoft.com in a new browser session. You should see the standard Azure AD login page instead of the screen for your old IdP.

The Sign-in logs section could be beneficial if you want to know what happens when each user logs in: For instance, was the authentication done through an external IdP, password hash sync, or pass-through authentication? Adding the “Incoming Token Type” column lets you see whether a user uses the federated experience or native cloud authentication.

Note: You may find that your IdP used to enforce things outside of Azure AD and Microsoft 365, like its own MFA or limiting login locations. Any of these rules will need to be made again as Conditional Access policies in Azure Active Directory.

Entirely Disabling Federated Authentication

When you have migrated enough users to Azure AD SSO, you will switch from using staged rollout and federated authentication to full password hash sync or pass-through authentication. When considering the cutover threshold, remember that any remaining users may be asked to sign up for Azure MFA (depending on your policies) and will need to sign in again to their Office 365 apps. But at this point, the staged rollout has helped you get most of your users to the final state.

Note: This transformation may not be fully in place for up to 24 hours (although, in practice, we have seen it take only a few hours). Any users already using staged rollout will already use managed authentication and won’t notice any changes. This is another good reason to use staged rollout as much as possible. You can make sure the change worked by selecting Azure Active Directory Connect in the Azure AD portal or running the following PowerShell syntax:

Note: You don’t have to move all your domains at the same time. After moving one or more domains to cloud authentication, you can still use staged rollout.

Once all domains have been moved, just go back to the Azure AD portal and turn off staged rollout in Azure AD Connect.

Make Azure Active Directory Cloud Authentication A Facts

With the staged rollout, you can make the change to Azure AD SSO a lot easier. It lowers your risk by giving you a slow rollout to test instead of a big switch that either works or doesn’t. When you use staged rollout, you can use a repeatable process to move apps and users into smaller groups that are easier to move. This makes app migrations seem less like an impossible task with no place to start.

Our solutions experts at TOS, are ready to help if this project still seems too big for you to handle on your own or if you just need a second pair of eyes during the planning stage. TECHOM Sytems has the business and technical knowledge you need to migrate from Active Directory Federation Services to Azure AD SSO or to start over from scratch with your login experience.

We’ll show you how to plan and do everything you need to make Azure AD cloud authentication work for your organisation.

Call us at +61 3 9005 6868 and email our experts at hello@techomsystems.com.au today!