How to Use Staged Rollout to Migrate to Entra Single Sign-On

Are you ready to make the move to Entra (formerly Azure Active Directory) single sign-on (SSO)? Do you want to avoid the complications of federated authentication for Microsoft 365? Are you unsure about switching your entire organization over at once? Entra ID’s cloud authentication staged rollout might be the answer.

Background to Entra SSO

Entra ID provides a sophisticated SSO platform that can be integrated with almost all Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) relying parties. Any tier (including the free tier, with some limitations) can take advantage of Entra SSO, including Azure multi-factor authentication (MFA). Additionally, anyone already using Microsoft 365 can have Entra ID act as an identity provider (IdP) for relying parties even if they are using another IdP (e.g., federated authentication) for sign-in to Microsoft 365. This makes Entra SSO an extremely competitive offering in the SSO space compared to the costs of other commercial SSO providers or the resources required to run an open-source SSO platform.

Moving to another SSO platform is not an easy undertaking. Most applications do not support multiple identity providers. In addition, there may also be a move to a new MFA provider that is supported natively by your IdP (e.g., Azure MFA with Entra SSO). Chances are, almost everyone in your organization uses an organization-wide app such as Office 365. Changing your users’ login experience all at once will have an enormous impact on them.

The huge amount of pre-work and the required lift and shift might be enough to deter you from even considering moving to another SSO provider, despite the cost and time benefits of Entra SSO in the long run. But fortunately, Entra ID has a feature to help make this move quite a bit easier: staged rollout.

Entra ID Staged Rollout

Staged rollout allows you to disable federated authentication and use either password hash sync or pass-through authentication for a subset of your Entra tenant. This lets you pilot using Entra SSO with Office 365 (and any applications you register with Entra ID) with a much smaller group. All features such as Azure MFA, Conditional Access, and Identity Governance work in staged rollout mode, allowing you to comprehensively test using Entra ID fully for SSO before switching over more users.

We can take this pilot one step further and use staged rollout to switch over select groups of individuals. Perhaps your organization has some applications that only small subsets of users use. You can register those apps in Entra ID and then add the apps’ populations to staged rollout to slowly grow the population that is exclusively using Entra SSO. Note that staged rollout is on a per-user rather than per-app basis. Enrolling a user in staged rollout will affect their login experience to all applications the user is assigned to within Entra ID.

If you are also working on having your organization enroll in Azure MFA, using staged rollout with smaller application populations allows you to target enrollment to specific users (smaller populations) at first. This approach makes the required change management a much easier effort.

Deploying Staged Rollout

The first thing you need to do is configure Entra ID Connect for password hash sync or deploy the Entra ID Connect Authentication Agent for pass-through authentication. This task is no different than if you were planning to switch your entire tenant over at once. However, do not change any of the user sign-in options in Entra ID Connect at this time.

Next, you need to determine which population(s) you want to switch to native cloud authentication first. You can configure up to 10 security groups to use staged rollout. Each group can contain up to 50,000 members, although you must add a group to staged rollout before populating it with more than 200 members. Unfortunately, nested and dynamic groups are currently unsupported (as of June 2022). However, it is easy enough to use the bulk import feature to import a list of users to a group in Entra ID.

If you have multiple Entra domains, you might want to break out the groups by domain, with each domain containing a subset of the population to test out native Entra SSO. Note that you can switch over individual domains to managed/cloud authentication while still using staged rollout for the remaining domains.

In the Entra Admin Center, click Entra ID Connect, then click the “Enable staged rollout for managed user sign-in” link. Set the toggle to “On” for either Password Hash Sync or Pass-through Authentication. Note that you can only select one or the other—you cannot pilot both modes at the same time.

Click “Manage groups” and “Add groups” to add the groups you created. You should see the groups successfully added with a notification in the top right corner. If you were planning for more than 200 members in the rollout group, go back to Entra Groups and add the remaining members.

Wait a few minutes. According to Microsoft documentation, this change can take up to 24 hours, although the change typically takes effect quickly when adding new members.

In a fresh browser session, try to log in to something such as with an account in the staged rollout group. You should see the normal Entra ID login screen instead of your previous IdP’s login screen.

The Sign-in logs section can be very helpful to understand what is happening during the login process for each user: For example, Did the authentication come from an external IdP, or was it using password hash sync or pass-through authentication? Adding the “Incoming Token Type” column will show you at a glance if a user is passing through the federated experience or native cloud authentication.

Note: You may discover that your IdP was previously enforcing things outside of Entra ID and Microsoft 365, such as its own MFA or restricting login locations. You will want to recreate any of these rules as Conditional Access policies in Entra ID.

Fully Disabling Federated Authentication

At some point you will have enough users migrated to Entra SSO and you will transition from using staged rollout and federated authentication to full password hash sync or pass-through authentication. When considering the cutover threshold, keep in mind that any remaining users may be prompted to enroll in Azure MFA (depending on your policies) and will need to re-sign in to their Office 365 apps. But at this point, staged rollout has helped get most of your users to the final state.

Fully transitioning to Entra SSO is just a matter of converting your domain(s) from federated authentication as you would in a migration without staged rollout:

Set-MsolDomainAuthentication -Authentication Managed -

Note that this change can take up to 24 hours to fully take effect (although in practice we have seen it take only a few hours). Any users already in staged rollout will already be using managed authentication at this point and will experience no user-facing changes—which is another good reason to leverage staged rollout as much as possible. You can confirm that the change was successful by selecting Entra ID Connect in the Entra ID portal or by running the following PowerShell command:

Get-MsolDomain -DomainName

Note: You do not need to migrate all your domains at once. You can continue to use staged rollout after you have migrated one or more domains to cloud authentication.

Once all domains are migrated, simply go back to Entra ID Connect in the Entra ID portal and turn off staged rollout.

Make Entra Cloud Authentication A Reality

Staged rollout can help make your transition to Entra SSO quite a bit easier. It decreases your risk by allowing a slow, testable rollout instead of one big all-or-nothing switch. When you combine using staged rollout with a repeatable process for app migrations, what seemed like an impossibly daunting task with no starting place can be fully accomplished in smaller, easier-to-migrate sets of applications and users.

If this project still seems too large to take on yourself, or if you just need a second set of eyes in the planning stage, Ravenswood Technology Group is ready to help. Whether you are looking to migrate to Entra SSO from Active Directory Federation Services (ADFS), Okta, Shibboleth, OneLogin, PingFederate, Auth0, or another platform—or if you want to start completely fresh with your login experience—Ravenswood has the business and technical expertise you need. We will walk you through all the stages of planning and execution to make Entra cloud authentication a reality in your organization.

Contact our experts today!


6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Migrating to Windows LAPS

Windows Local Administrator Password Solution (LAPS), now integrated into the OS, is the replacement for Microsoft LAPS, which was a separate installation. Windows LAPS is

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.