We had that complaint as well. We are in the process of this migration right now. We changed ADFS to support both username and email last year and then put in the comment for the username field to enter their email address to help transition people. When we make the final cut over, it will be difficult I think for some users. I really wish that it would prompt users to say are you sure you want to sign into a Microsoft Live account before jumping over to the live portal. Ultimately, it is training users to not enter a password in on a page that doesn't look like your SSO page.
Can we do the first login with hybrid Join device already had Ms Enfa sync? We still stuck on the first login on hybrid join devices. Only can be setup with a line of sign to onprimese AD
We are using Always-ON VPN Device tunnel to make the first login possible outside of the company network. The Always-On Tunnel is deployed during Autopilot installation.
@@igormatic7896 we heard about that about Cisco fast connect but we currently using ivanty Vpn with very limited. We been try with Azure VPN and using devices trusted scep certificate but still really complicated. Hopefully with Entra users on premise identity already in cloud could be easier. Because migrate all GPO to intune and do cloud join is nightmare
Still no cloud alternative to user logon expiry dates. Seems to me a security risk that you can have onpremise user accounts that have expired, but which are still active/enabled in Azure
@@jackneely9404 a user's on premise account is configured in AD to expire on the 31 July 2023. This account is sync'd to AzureAD. On the 1st August, when the user tries to sign in to their on prem AD joined device they can't as their account has expired (the account is expired, not disabled). However, that same user can still use their Azure AD account to sign in to M365 as the account is still active (AAD Connect doesn't sync the onprem account.expiry date)
This is great, there are customers still running ADFS farms on WS2012, that's a compelling reason to move to entra as well!
This is great, definitely the way to go with the right planning. Thanks for the clear explanation as always!
I know it sounds like a small thing, but requiring users to enter UPN/Email instead of SamAccountName has tripped up a ton of our workforce.
We had that complaint as well. We are in the process of this migration right now. We changed ADFS to support both username and email last year and then put in the comment for the username field to enter their email address to help transition people. When we make the final cut over, it will be difficult I think for some users. I really wish that it would prompt users to say are you sure you want to sign into a Microsoft Live account before jumping over to the live portal. Ultimately, it is training users to not enter a password in on a page that doesn't look like your SSO page.
Can we do the first login with hybrid Join device already had Ms Enfa sync? We still stuck on the first login on hybrid join devices. Only can be setup with a line of sign to onprimese AD
We are using Always-ON VPN Device tunnel to make the first login possible outside of the company network. The Always-On Tunnel is deployed during Autopilot installation.
@@igormatic7896 we heard about that about Cisco fast connect but we currently using ivanty Vpn with very limited. We been try with Azure VPN and using devices trusted scep certificate but still really complicated. Hopefully with Entra users on premise identity already in cloud could be easier. Because migrate all GPO to intune and do cloud join is nightmare
Still no cloud alternative to user logon expiry dates.
Seems to me a security risk that you can have onpremise user accounts that have expired, but which are still active/enabled in Azure
What do you mean? Can you provide an example?
@@jackneely9404 a user's on premise account is configured in AD to expire on the 31 July 2023. This account is sync'd to AzureAD. On the 1st August, when the user tries to sign in to their on prem AD joined device they can't as their account has expired (the account is expired, not disabled). However, that same user can still use their Azure AD account to sign in to M365 as the account is still active (AAD Connect doesn't sync the onprem account.expiry date)
7 min migration 😁😂only if AI is doing for you 🤣🤣