Migrate from AD FS to Microsoft Azure Active Directory for identity management

The Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence that looks across worldwide traffic can rapidly detect attacks and allow you to reconfigure almost in real time.   None of the following scenarios apply to my org, and I’m ready to move forward with my migration.

For all types of migrations, the following AD FS scenarios can’t be migrated to Azure AD.

  • Custom attribute store to retrieve additional claims from LDAP and SQL
  • Non-Microsoft MFA provider integrated with AD FS
    Non-Microsoft Mobile Device Management (MDM) integrated with AD FS
  • Non-persistent virtual desktop infrastructure (VDI) with Windows 11
    Windows Hello for Business in certificate authentication mode
  • Azure AD Cloud Sync with hybrid Azure AD join
    Dual-federation (for example, Azure commercial and Azure China 21Vianet)
  • Sign-in with SamAccountName or EmployeeID

For staged rollouts (migrating a small group), the following configurations are unsupported.

  • Legacy authentication, such as POP3 and SMTP
  • Nested groups, dynamic groups, and groups that contain contact objects
    If your application includes the “domain_hint” attribute
  • Windows 10 version 1903 or older for both hybrid Azure AD join or Azure AD join if user has a non-routable UPN

What to expect 

To get custom guidance for migrating to Azure AD, you’ll first answer a few questions about your Active Directory Federation Services (AD FS) infrastructure. Then implement either pass-through authentication (PTA) or password hash sync (PHS) to give users a streamlined experience while accessing your org’s apps

Use the full tool here