What is staged rollout in Azure Active Directory?

What is staged rollout in Azure Active Directory?


[MUSIC] Jithesh Raj: Hi. My name is Jithesh Raj. I’m a Program Manager with the Azure AD Identity division. We are here today to talk about a cool feature. It’s called staged rollout. Before we go ahead, let’s look at the authentication options we have today with Azure AD. Primarily, we have the cloud only model, where users are created in the cloud and authenticated with the Azure AD tenant. In most production environments today, we have customers using the other three options. One is the federated option, where you have a federated identity provider like AD FS or a third party identity provider that does your authentication for you. Or you could be using the cloud authentication method. We have two options in the cloud authentication method. One is Password Hash Sync and the other is Pass-Through Authentication, which we also call PTA. You could look at a cool whitepaper, which we have published, which can get you more info on these three authentication options. Let’s look at how a federated identity provider authentication flow works today. A user signing into one of the web applications, either in Office 365 or a SaaS application that is integrated with Azure AD signs into the application and is redirected to Azure AD. If Azure AD sees that the user is from a federated domain, Azure AD redirects the user to the federated identity provider. And then you complete authentication with the federated identity provider, go back to Azure AD, complete your authorization, and take a token, access the application. This is a typical federated identity flow. You can see there’s multiple hops before the user gets access to the application. What if I want to migrate off of the federated identity provider and look at cloud authentication as one of our options? So, I could either go from federated identity to PTA or PHS. So, what if I’m ready to migrate? What are my options today? I could use the cutover migration. However, in a cutover migration, I need to migrate all my users off the federated identity to Azure AD, which means I have to switch over all my users from a federation to either PHS or PTA. But wait, what if I gave you a cool option to just use some of those users to try out cloud authentication without doing a cutover? So, you could remain in production with your federated identity provider, take a bunch of users, move them to either PTA or PHS. We can do that today with staged rollout. Once you do staged rollout, the user would be sent to Azure AD and then not to federated identity provider. He would get the access token from Azure AD and then access the application. Next, I’m going to show you a cool demo of how to do staged rollout. Thank you for watching. [MUSIC]

Daniel Ostrander

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *