Migrate to cloud authentication in batches

I am excited about this feature that has been released by Microsoft as that will assist many organizations that want to switch over form their federation application such as secuareauth, PING, ADFS and others to Cloud authentication.

  •  password hash synchronization (sync) + seamless single sign-on (SSO)


  • pass-through authentication + seamless SSO

Previously organizations have to do a hard cut-over, which to most of us that are managing office 365 is a big NO as there can be issues which we are not aware-of and possibility of repercussions.

With the staged roll-out we can avoid this as it can work in parallel with your current federation provider.

Note: Only Modern authentication is supported with cloud authentication staged roll out, classic authentication will fail back to your federation provider.

Below are the steps you need to follow in order to Enable staged Roll-out:

You have to choose first one of the methods either password hash or pass-through authentication.

We have enabled the password hash sync for our customer.

Next step is to enable Seamless SSO for your domain.(this needs to be done from you Azure AD connect server)

Import module AzureADSSO.psd1 located  under C:\Program Files\Microsoft Azure Active Directory Connect folder.

Import-Module .\AzureADSSO.psd1  (run this in powershell after switching to above location as administrator)

Next command is New-AzureADSSOAuthenticationContext which will launch the browser window where you need to add Global Admin credentials.

Run Get-AzureADSSOStatus | ConvertFrom-Json to check the status of the domains on which this feature is enabled.

Now type $creds = Get-Credential and provide domain administrator credentials.

Next action is to Enable SSO in your forest/domain  Enable-AzureADSSOForest -OnPremCredentials $creds

This will create the AZUREADSSOACC computer account in onpremise for SSO.

—————————Now you have to work on GPO ———————————————————-

ADD autologon.microsoftazuread-sso.com to selected or all users intranet zone settings.

Also, enable the policy setting Allow updates to status bar via script.

We pushed it to all users as we will control it later via AD group.

For complete instruction of GPO follow the link 


Once both the above steps are completed you need to logon to https://portal.azure.com/

Azure Active Directory –> Azure AD Connect


Click Enable staged roll-out for managed users sign-in

Turn On Seamless SSO and Passwoardhash

ADD the security group for which you want to Enable this.

Recommendations from Microsoft:

  • No more than 200 users members in the group for the first time.
  • Try to use cloud only group so replication wait time does not occur (not mandatory)

Please also enable conditional access for this group, for our customer we blocked basic authentication and allowed MFA for trusted devices.

Require MFA for All users conditional access settings:



Similarly you need to block Classic authentication for this group so make one more conditional access policy.

Under conditions select the other clients and under grants block access.

Now when you will login your login will not go to your federation provider if you are member of that group but will use passwordhash and SSO (in case of trusted clients)

Non Trusted device screenshot:


Thanks for reading …

Tech Wizard





Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s