This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 70%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
In office365 environment, we are going to migrate "federation with password hash sync" to "Cloud Authentication". After migrate to "Cloud Authentication", on premise AD will be removed, so we will perform Decommission of federation & password hash sync after confirming "cloud authentication" have no problem.
My question is, Since on premise AD will be remove, both Federation and active sync password hash will not be use anymore, is there any sequence on decommision of ADFS / active sync password hash? Or we simply perform decommision of ADFS, active sync password hash will be remove accordingly? (Since from my understanding, both ADFS & Active sync password hash is somehow impacting each other. Please correct me if my understanding is wrong.)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 43%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi, louis cheung
This is Chaboon.
From my understanding, getting rid of on-premises AD means you can only sign in with Entra ID (Azure AD).
And AD FS federation always fails because it requires on-premises AD.
Therefore, you should migrate your AD FS applications to Entra ID before getting rid of on-premises AD.
Below article may be helpful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
As I understand you want the steps to move from ADFS to Cloud Authentication. Also, you have password hash sync configured in your environment.
With PHS configured in your environment, user's password gets synced to Azure AD. Currently when you have ADFS configured in your environment, user Authentication is handled by on-premises ADFS servers.
For testing before moving to cloud authentication, you can make use of "Staged rollout" feature in Azure AD to confirm if cloud authentication is working as expected.
This method is used to have Zero impact in your environment while migration.
Staged Rollout allows you to selectively test groups of users with cloud authentication capabilities like Microsoft Entra multifactor authentication, Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains.
You can refer to below article to configure staged rollout in your environment,
https://video2.skills-academy.com/en-us/entra/identity/hybrid/connect/how-to-connect-staged-rollout
Once you make sure that cloud authentication is working fine using staged rollout, you can un-federate the domain in ADFS environment. Once you un-federate the domain, Azure AD will stop redirecting the authentication requests to ADFS.
Sync user passwords are already synced to Azure AD, Azure will handle the authentication and give access to requested resources.
Now, post all testing and un-federating the domain, you can decommission ADFS servers.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
"Once you make sure that cloud authentication is working fine using staged rollout, you can un-federate the domain in ADFS environment. Once you un-federate the domain, Azure AD will stop redirecting the authentication requests to ADFS."
Do this means during un-federate stage, All I need to do is to un-federate ADFS, dirsync and password hash will stop correspondingly?
Un-federating domain from ADFS will only stop Azure AD to redirect authentication requests to ADFS.
Password hash sync configured in Dirsync (AD connect). Once you decommission AD connect, Password hash sync will also stop correspondingly.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
is there any sequence on Un-federating domain and decommission AD connect? Or can I assume no impact on another action if I stopping any one of these first?
You can un-federate the domain first and then you can decommission ADFS. Post this you can decommission AD connect.
Note: If you are still syncing users from on-premises to Azure AD, then do not remove AD connect.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Just checking in to see if the above answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread
Just one more question. As you said, password hash sync will stop correspondingly when I decommission AD connect, which option should I choose during decommission? "Password hash sync" / "Do not configure" ??
You don't have to go to the wizard while decommissioning AD connect. You can just uninstall AD connect from server and all features tied through AD connect will get disabled automatically.