Confidently modernize to cloud authentication with Azure AD staged rollout, now generally available

Published Apr 05 2021 01:00 PM 16.5K Views

Howdy folks,


I’m excited to announce that staged rollout to cloud authentication is now generally available! This feature allows you to selectively test groups of users with cloud authentication methods, such as pass-through authentication (PTA) or password hash sync (PHS), while all other users in the federated domains continue to use federation services, such as AD FS, Ping Federate, Okta, or any other federation services to authenticate users.


Moving your Azure AD authentication from federation services to the cloud allows you to manage user and device sign-in from a single control plane in Azure AD. Some of the benefits using cloud authentication include reducing the dependency on on-premises infrastructure, which typically includes a farm of servers and proxies that need to be accessible from the internet. In addition, you can take advantage of security capabilities like: Azure AD multifactor authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and more.


New with the general availability, we’ve added the ability to monitor the users and groups added or removed from staged rollout and users sign-ins while in staged rollout, using the new Hybrid Auth workbooks in the Azure portal.  In addition, we’ve built a staged rollout interactive guide to help you learn more and deploy this feature.



 Hybrid Auth workbook.png

Hybrid Auth workbook


As always, we’d love to hear your feedback or suggestions in the comments or on Twitter (@AzureAD).

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division



Learn more about Microsoft identity:

Senior Member

Maybe its only me, but our Log Analytics for Signin does not store the Authenticationdetail of "StagedMigration". I have old KQL queries where I do ask for the same, but I do not have that anymore (rendering my old KQLs useless as well).
Not sure if this has changed on the backside, or if its just something on my side?
The only thing we do not send to Log Analytics is the NonInteractive signons.

So, workbook, in this state, is to me useless

@Daniel_Fors  - If you are seeing the authentication detail in your sign-in logs and not in log analytics, please send a request to our support to investigate the data flow into Log Analytics. 

Senior Member

I am seeing all the details in Log Analytics, but the query in the workbook is looking for "(AuthMethod has "StagedRollout")" and I have all my users in Staged Migration, and I used to see this AuthMethod, but now I do not. 

I do see "Text Message" or "Password" as AuthMethod (with the Auth Detail = "Password Hash Sync" for Password), see below picture


Would Password Hash Sync logon be considered "Staged Migration" authentication, since my old query asked for  AuthMethod "PHS, StagedRollout"??




Occasional Visitor

We have set this up, it works and almost all users are in the 'staged group'.

We want to make the "final switch" but....

- Documentation on how to do this and how to have a 'fallback plan' is almost non-existent.

- We still see numerous, daily, successfull ADFS sign ins from almost ALL users in the Azure AD sign in logs (Filter: token issuer ADFS)


The last issue causes us to believe some major disruption will occur when switching over. We have no idea what causes the ADFS sign ins. There are no non-microsoft apps using ADFS. They are not legacy authentication mobile apps. They are all forms authentication. I am clueless as how to retrace which app of website causes these logins or if it is normal because ADFS is still in place.

Senior Member

Can we get some guidance around when to disable staged rollouts .

1-Enable PHS , Seamless Sign-on 

2-Migrate Apps to use Azure as IDP 

3-Migrate Users to use Azure MFA 

4-Enable Staged Rollout , add users in batches 

5- Remove federation from all domains 

6-Disable Staged rollout 

Does this sound like a right approach ? or do i need to disable staged rollout before i remove federation ?

@sarthak - Those steps are perfect. You can remove Staged Rollout after cutover and there is no need to do so before removing federation. We are working on a revised deployment plan for migration from Federation to Cloud Authentication which will be published soon.



I have also the topic that the workbook "Groups, Users and Sign-ins in Staged Rollout" doesn't work. Only the chart for "Users added to Staged Rollout" and "List of users added/removed from Staged rollout results" bring results but no information for successful or failed sign-ins are available. Users are already added since weeks to the staged rollout feature.


How and when could this be fixed?

Senior Member

@JR I have few more questions .


1- If i use Sign-in Frequency should KMSI be turned off and would that cause issues with Sharepoint ?

2- PowerApps & Flow have known issues with conditional Access policy , other than adding it to exclude list what can we do ? 

Occasional Visitor

Any update on the revised documentation? We still need to make the final cutover.

We are still seeing numeous ADFS authentications despite of all users being in the staged migration. We cannot explain this and we are unable to figure this out ourselves. 

They are from unknown client apps and when an user agent is shown it is always an adroid or apple mobile device. When we filter legacy authentication clients they are not authenticated by ADFS.

Puzzling and keeping us from doing the final cutover.

Occasional Visitor

I think the documentation about this subject should include this:


And more specific the step I highlighted here, as it is totally absent at he moment and IMHO causes MFA to be handled by ADFS even if the staged rollout is done for all users.



If I am interpreting all this correctly it means that when ou have MFA in place and do ADFS keeps doing your MFA and MFA breaks when you switch over?!


Version history
Last update:
‎Apr 05 2021 09:06 AM
Updated by: