• Home
  • Migrating ADFS to Modern Authentication Model

Migrating ADFS to Modern Authentication Model

Active Directory Federation Services “ADFS” was the original and only way of providing single-sign-on for on-premises identities with Microsoft Azure/Office 365. It called for a great number of servers and components to be deployed to provide a resilient solution. 

The service has matured since its original release however the fundamentals have not changed and the infrastructure and administrative overheads remain the same even with Windows Server 2019 (Windows 2012 R2 & 2016 are still supported but Server 2019 is recommended).


ADFS (1)

Organisations whose security policies prohibited the use of Password Hash Sync (PHS) didn’t have any alternatives to ADFS until Microsoft released ‘Pass-through Authentication’ (PTA). This significantly reduced the infrastructure requirements and coupled with a growing catalogue of SaaS applications supported by Azure AD in conjunction with a new feature titled ‘seamless single-sign-on’, provided a true enterprise grade alternative to ADFS.


PTA (1)

Whilst transitioning between identity models has always been possible, making these changes required significant planning and this came with potential risks and downtime as the switchover itself required a cutover i.e. meaning there was no way to provide a seamless method of testing and gracefully moving between models.

Microsoft have now recently announced a preview feature that will change this behaviour and simplify the entire process of changing identity models. The new feature (named ‘Staged Rollout’), allows IT administrators to plan and test the switching of users between ADFS to PHS or PTA. The new feature can be found in Azure Active Directory. Enabling the service is as simple as adding users to the groups for either PHS, PTA and SSO (enabling both PHS and PTA is not supported and will error).


This feature reduces the risks associated with changing from an ADFS identity model and enables you to move to PHS/PTA by using a staged approach. Planning to switch models should take into consideration other features that may have been enabled with the ADFS solution such as:

• MFA Server
• Smart Card Authentication
• Other Federation Services
For advice and assistance, the Ultima Professional Services team can walk you through the steps, validate your plans and enable transition to your new authentication model. Get in touch today!

Contact Us

Written by Stephen Harper, Solutions Architect

0 (4)


Related Resources

The Foundations of Intelligent Infrastructure in Financial Services

An intelligent financial services firm is nimble, slick and clever. It out-performs its competitors by out-innovating them...

The Foundations of Intelligent Business

Successful execution of strategy requires alignment in every part of the business. Pockets of excellence are not enough. You need intelligence at every level – from the foundations up...

Foundations of Intelligent Infrastructure

An intelligent business is nimble, slick and clever. It out-performs its competitors by out-innovating them. And it’s built on intelligent infrastructure from the foundations up...


Related Resources