How to check if Azure AD has processed the hybrid authentication method change

Reading Time: 2 minutes

Azure Active Directory

Many organizations with Azure AD tenant are currently transitioning from federation to Pass-through Authentication (PTA) and/or authentication based on Password Hash Synchronization (PHS). The Staged Roll-out feature is a straight-forward way to perform this transition. Microsoft has described how to migrate from federation to cloud authentication in Azure Active Directory using this feature.

Note:
In the past, I commented that this documentation doesn't include how to enable Seamless Single Sign-on when AD FS is Configured as Sign-in Method. This is an integral step for organizations who don't have hybrid Azure AD-joined devices, but yet want to keep the single sign-on functionality AD FS offered.

One of the things I noticed when transitioning organizations is that there is a delay between the moment you switch the authentication method, either with Azure AD Connect or using the Set-MsolDomainAuthentication Windows PowerShell cmdlet, and the moment that every person in the Azure AD tenant uses the new authentication method.

This delay depends on the size of the organization and the number of accounts that are in scope for the Staged Roll-out feature. Accounts in scope of Staged Roll-out shorten the delay.

Tip!
It is one of the reasons why we plan changing the Azure AD hybrid authentication method outside of office hours.

 

Checking

To check if Azure AD has processed the hybrid authentication method change for a tenant, we use the domain hint. The domain hint allows us to use the default authentication method for a tenant without specifying a user account. This way, the Staged Roll-out feature doesn't kick in. Also, because the domain hint is per domain you can check to see if Azure AD has processed the hybrid authentication method change for a tenant per domain.

We use the following url in an InPrivate Microsoft Edge screen:

https://portal.office.com/?domain_hint=domain.tld

 

Replace domain.tld with the DNS domain name.

If the above url redirects to the on-premises federation solution, then Azure AD hasn't processed the hybrid authentication method change for the DNS domain name yet.

When you start a new InPrivate screen (Ctrl+Shift+N) or a new tab (Ctrl+T) and point to the url and the (themed) Azure AD sign0-in experience is shown, then Azure AD has processed the hybrid authentication method change

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.