Migrate from ADFS to Password Hash Sync with Azure AD Connect
Вставка
- Опубліковано 6 лип 2021
- Migrate from ADFS to Password Hash Sync with Azure AD Connect.
In this video, we are going to Migrate from ADFS to Password Hash Synchronization for single sign-on. Then our users will then be logging directly into Office 365 and Azure AD and we won't have to maintain the ADFS servers and Web Application Proxy servers.
This is the high level view of the objectives that are in scope for this project.
1) Evaluate the environment.
2) Set permissions on the service account to perform password hash sync.
3) Enable Password Hash Synchronization.
4) Prepare for Seamless SSO.
5) Change sign-in method from ADFS to Password Hash Synchronization.
6) Test Single Sign-on with Password Hash Sync.
Migrate from federation to password hash synchronization for Azure Active Directory
docs.microsoft.com/en-us/azur...
Azure Active Directory Seamless Single Sign-On: Quickstart
docs.microsoft.com/en-us/azur...
From ADFS to Password Hash Sync and Seamless SSO
samilamppu.com/2019/01/04/fro...
Azure AD Connect - Change ADDS Connector Account
samilamppu.com/2018/11/15/azu... - Наука та технологія
Thanks for this guide! 😎
Thanks! Hard work pays off. I need to do this twice in real life soon.
Amazing this is well explained and easy to follow guide. Im pretty sure this will help lot of admins switch to modern authentication. adfs is pain to maintain.
I actually need to do this twice in real life, soon! So it was good to get to run through it. Thanks!
Sir hope you have a video on how to do DR if AAD server breaks. Cheers
@@sexymeh99 Good idea. Thanks
@@ShotokuTech yes good continuation of the series 🤣
Hi, thanks for this amazing video.
It seems that the WARNING option of the PHS Sign-in option in AADC must be selected.
With that is it a risk to have that account AZUREADSSOACC generated in On-Premise AD ?
The warning is to inform that all federated domains will be converted to managed. If you have multiple federated domains and wish to have some continue to use ADFS you would have to take additional action. The AZUREADSSOACC account is created by virtue of ticking Enable Seamless SSO at the bottom. This is selected by default when you select PHS. Thanks!
You know how to write and change codes, genius.
This is one of my responsibilities at work. It can be challenging.
@@ShotokuTech 👍
Thanks for the video. Does seamless sso work the same way with Chrome or do you need an agent?
I actually did not implement seamless SSO. So I don't have that answer. I would expect Chrome and Edge to work similarly.
Good learning video
Thank you!
amazing video. I was just quoted to migrate from ADFS to AD Azure Authentication 25K from my MS Rep consultant. I cannot wait to migrate this as ADFS is a pain to maintain.
Oh yeah! Run away from ADFS. Run away. Thanks.
One question. If we run our adfs servers as vms, we create snapshots before migrating, and in case we have any issues, can we revert to the snapshots.
@@samdelacruz6230 interesting question. If you are migrating O365 sign-on from ADFS to Password Hash Sync, you really aren't making changes to ADFS. You are changing O365 to use password hashes that are synced from AD to O365. So a snapshot of the ADFS servers won't give you any roll-back. It would be more of a matter of running AAD Connect setup and switching back from PHS to ADFS. The change you are making is the O365 authentication method. AAD Connect setup is the tool to make this change. Thanks.
@@ShotokuTech o ok so the changes are really being made on ad connect.
So far I have bee. Able to create a rollo out group as test and everything is working great for 20 users. I am just concerned if something happened and need to roll back then what would be my best option to go back to original config. We have about 450 network users and 100 remote users.
@@samdelacruz6230 Hello! That is a great question. I'd have to try that out in my lab. What would you do to roll back? I like to record the original state and document the changes that are made. What are your thoughts?
Why seamless SSO though? If you're using PHS and your clients are W10 or above, you should be able to take advantage of the Primary Refresh Token for SSO... right?
Exactly. I find the experience without seamless is just fine. Why add another wrinkle with potential vulnerability. We are getting in without any login prompt to most all our apps using PHS alone. Of course I get prompted because I have multiple signons. Administrative access to different tenants, etc. Thanks.
@@ShotokuTech Thanks for the response. We’re about to make the switch from federated to managed for about 20k users. We used staged rollout (which is a great feature) and my results mirror what you said… PHS alone is fine. That said, HAADJ status is crucial. If a device isn’t trusted, there will be prompts. Great content!
Great. It sounds like you have this in capable hands. I try to make videos about my day job from time to time. Mostly I am practicing for the real world in these videos. So it is good to know it helps. Thanks
the AZUREADSSOACC computer object which gets created when SSO is enabled, does this need to be in an OU which has synced enabled to MS Entra? Or can it be in a non-synced OU?
Looking forward to some great insight & learning here :)
AZUREADSSOACC is created automatically as part of running seamless SSO. You don't really want to be changing the parameters around this account without clear guidance from Microsoft. I will be upgrading my lab to Server 2022 in this upgrade cycle so stay tuned for more! Thanks.
@@ShotokuTech totally agree. In an effort to keep the OUs in a clean state and meet organizations requirements, What are the right parameters to move it from the default OU to a desired OU?
To be honest, when I saw what the outcome of enabling Seamless SSO was and weighed the benefit, I decided against doing it. So I have no experience with managing this account. In general, if Entra ID Connect creates an object in the directory, I would leave it alone. That is unless you have clear guidance from Microsoft to do otherwise.
This is a very relevant question.
@@ShotokuTech
Sorry to say this, but your responses aren't helpful at all. It's pretty clear you have no idea and it would be good if you are honest about it and say so. There is no shame in admitting it.
@vitusq6518
to answer your question, after reading your query, i tested it and can confirm it works as you asked.
Can we still use our current license when we migrate to pta or phs?
These are all good from Azure AD license perspective. PTA is a non starter for me from what I read about it.
Thanks for this video, it was very helpful!
Now that you mention, I did not. Once you see how easy it is, you won't want to go back. But then in a change management scenario, they will at least want to see on paper, what the rollback is. I would say run AAD Connect Setup, Change User Sign-on, Check ADFS, Uncheck, PHS, Provide the ADFS instance name and service account creds and go. I did make that video: "Complete installation of ADFS Using AAD Connect Setup"
ua-cam.com/video/zdBfh9sgrqA/v-deo.html
Thanks!
@@ShotokuTech
thank you for this great video.
though well said, environments of others may not be as smooth as yours. Hence, a roll back video would be highly appreciated & helpful.
What about enabling the Pass-through authentication?
I'm not a big fan of PTA. Thanks.
@@ShotokuTech What is your reason for that? Just curious.
@@KoolMada Biggest reason is PTA's dependency on On-Premise AD. Think Encryption Attack. Password Hash Sync would allow your users to continue logging into O365 and Azure. social.technet.microsoft.com/Forums/en-US/aeb17b9d-a80c-4a3a-afd9-dc28cdb5d90f/difference-between-passthrough-and-password-hash-sync
👍
Thanks