Earlier this year, Microsoft released a preview feature in Azure AD called “staged rollout”. What is this feature, how does it work and when do you use this feature? These are the questions we will discuss in this blog.
Many organizations are making use of Active Directory Federation Services (ADFS) to perform authentication against external applications like Microsoft 365 services or third-party services. ADFS manages authentication through a proxy service hosted between the local AD and the target application, enabling the administrator to use the local AD as the main source of authority. This brings some limitations compared to authentication against Azure AD. For example, you don’t have the possibility to use some of the features of the Azure AD, e.g.
- Conditional Access;
- Azure AD password protection;
- Identity Protection for Leaked Credentials;
- Identity Governance.
Switching to cloud authentication will enable you to implement these features in your environment. However, changing the flow of authentication can have a huge impact on all users within an environment, with a business outage as a worst-case scenario when an unforeseen situation arises. Ideally, you would like to have the option to perform a staged migration from local to cloud authentication. This is where Azure AD staged rollout can provide a solution.
Azure AD staged rollout works for:
- Users who are provisioned in Azure AD by using Azure AD Connect;
- User sign-in traffic on browsers and modern authentication clients. Applications or cloud services that use legacy authentication will fall back to federated authentication flows;
- Groups with less than 50,000 members. If the group that you want to use to indicate the scope of staged rollout, you will have to split this group in multiple groups.
Keep in mind that this feature is in preview now and some things are subject for change.
References:
Migrate to cloud authentication using staged rollout: Azure AD Connect: Cloud authentication via staged rollout | Microsoft Docs
Choose the authentication method: Authentication for Azure AD hybrid identity solutions – Active Directory | Microsoft Docs