Staged ADFS Migration to Cloud Authentication (Azure AD)

This feature allows you to test cloud authentication and migrate gradually from federated authentication.

When using high available cloud services you don’t want to rely on your on premises ADFS environment for authentication.

The authentication process needs to work seamlessly when you are moving away from federated authentication to cloud authentication.

To test and validate the “staged move from ADFS to cloud authentication” scenario was an almost impossible process.

Nowadays Azure helps you with a recently introduced option named : Staged Rollout of Cloud Authentication.

This allows you to do a staged rollout of Cloud authentication.

What you need :

  • Azure AD Connect and choose between :
    • Password Hash Sync (PHS) with Seamless SSO or
    • Pass-through-Authentication (PTA) with Seamless SSO
  • Azure AD User group with the members you want to test the rollout

To check you current config of AAD connect just start AADConnect and check your current config :

In the screenshot PHS is enabled.

To Setup this new feature,

Start your webbrowser and logon to your Azure Active Directory portal (

choose Groups and Create a New AzureAD Group (for example AzureAD-StageRollout-CloudAuth.).

Add your test users to this group. 

Choose Azure Active Directory and then the Azure AD Connect blade


Click on the link Enable staged rollout for managed user sign-in (Preview) which will bring you to the page where you can enable the feature.

In my case I’m enabling the Password Hash Sync option.

Then select the previously created test group you want to enable the staged rollout. Max of 10 groups is allowed.

  • You will have to choose between either the PTA or the PHS option. You must not enable both options.
  • The maximum number of users in the initial configuration is 200 users. You can add additional users afterwards. For best results, validate in batches of 1,000 users.
  • Dynamic and nested groups are not supported for staged rollout.

Select the group :

Apply and Save and you’re done and ready to test.

This feature is intended to help you transition from federation to cloud authentication. When your transition is complete, please change the tenant wide authentication method to cloud authentication. Learn more :

Microsoft documentation can be found here :

See the source image

Leave a Reply

Your email address will not be published. Required fields are marked *