Earlier this year, Microsoft released a preview feature in Azure AD called “staged rollout”. What is this feature, how does it work and when do you use this feature? These are the questions we will discuss in this blog.

Many organizations are making use of Active Directory Federation Services (ADFS) to perform authentication against external applications like Microsoft 365 services or third-party services. ADFS manages authentication through a proxy service hosted between the local AD and the target application, enabling the administrator to use the local AD as the main source of authority. This brings some limitations compared to authentication against Azure AD. For example, you don’t have the possibility to use some of the features of the Azure AD, e.g.

Switching to cloud authentication will enable you to implement these features in your environment. However, changing the flow of authentication can have a huge impact on all users within an environment, with a business outage as a worst-case scenario when an unforeseen situation arises. Ideally, you would like to have the option to perform a staged migration from local to cloud authentication. This is where Azure AD staged rollout can provide a solution.

What is Azure AD staged rollout?

With Azure AD staged rollout you can selectively exclude a specific group from federated authentication, enabling them to authenticate directly against Azure AD. This will provide you the possibility to assign a few pilot users for cloud authentication without impacting the rest of the business, so a decent test scenario can be executed, and user disruption can be minimized.

Keep in mind that the sign-in page of the Azure AD should be configured to match company branding

How can I activate Azure AD staged rollout?

Activate Azure AD staged rollout

Open the Azure AD portal and open Azure AD Connect in the left menu. Scroll to the middle of the page and click on “Enable staged rollout for managed user sign-in (Preview)“. Enable the appropriate cloud authentication method and assign the group that you want to enable Azure AD staged rollout for.

An authentication method should be in-place before you can use this feature.

Azure AD staged rollout works for:

  • Users who are provisioned in Azure AD by using Azure AD Connect;
  • User sign-in traffic on browsers and modern authentication clients. Applications or cloud services that use legacy authentication will fall back to federated authentication flows;
  • Groups with less than 50,000 members. If the group that you want to use to indicate the scope of staged rollout, you will have to split this group in multiple groups.

Keep in mind that this feature is in preview now and some things are subject for change.


Migrate to cloud authentication using staged rollout: Azure AD Connect: Cloud authentication via staged rollout | Microsoft Docs

Choose the authentication method: Authentication for Azure AD hybrid identity solutions – Active Directory | Microsoft Docs

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.