In the Microsoft Entra ID (formerly Azure AD) environment, organizations have two primary identity authentication models—Federated Domains and Managed Domains. While federated domains rely on external identity providers (IdPs) like ADFS, Okta, or PingFederate, managed domains authenticate users directly in Microsoft Entra ID.
Many organizations are now shifting from federated authentication to managed authentication due to security, performance, and cost benefits. But how do you migrate? What are the prerequisites? And most importantly, is it the right move for your business?
Let’s dive into the details!
What is a Federated Domain?
A Federated Domain is an authentication model where users log in via an external identity provider (IdP), such as AD FS (Active Directory Federation Services), instead of directly through Microsoft Entra ID.
How It Works
- When a user signs into Microsoft Entra ID, they are redirected to their on-premises IdP (e.g., AD FS /Octa /Ping).
- The IdP authenticates the user and issues a security token.
- Microsoft Entra ID then accepts the token and grants access to resources.
Example of a Federated Domain
Company ABC Corp. has an on-premises Active Directory integrated with AD FS. Employees sign in to Microsoft 365 using their corporate credentials, which are validated by AD FS.
Use Cases for Federated Domains:
- Your company already uses an external IdP (ADFS, Okta, PingFederate, etc.).
- You need custom authentication rules and advanced control over login policies.
- Compliance or business requirements mandate on-prem authentication.
- Multi-factor authentication (MFA) is on-premises based.
What is a Managed Domain?
A Managed Domain is a domain where authentication happens directly within Microsoft Entra ID without any external IdP.
How It Works
- Users sign in directly via Microsoft Entra ID.
- Passwords are stored and validated in Microsoft Entra ID.
- Organizations can use password hash sync (PHS) or Pass-through Authentication (PTA) for hybrid identity setups.
Example of a Managed Domain
Company XYZ Ltd. syncs user identities with Microsoft Entra ID using Azure AD Connect and enables password hash sync (PHS). Employees authenticate using Microsoft Entra ID without relying on an on-premises IdP.
Use Cases for Managed Domains
- Your organization is moving toward a cloud-first approach.
- You want to reduce complexity, improve security, and minimize infrastructure costs.
- You need faster authentication without external redirects to an IdP.
- You want to leverage Microsoft Entra MFA, Conditional Access, and Identity Protection.
- Organizations use Hybrid setups with password hash synchronization (PHS) or pass-through authentication (PTA).
Comparison – Federated and Managed Domains
| Feature | Federated Domain | Managed Domain |
|---|---|---|
| Authentication Mode | Uses an external identity provider (IdP) like ADFS or Okta | Authentication is directly handled by Microsoft Entra ID |
| Authentication Method | Relies on SAML or WS-Fed protocols via external IdP | Uses password hash synchronization (PHS) or pass-through authentication (PTA) |
| Sign-in Experience | Redirects users to the external IdP login page | Users authenticate directly in Microsoft Entra ID |
| On-Premises Dependency | Requires an on-premises IdP (ADFS, Okta, etc.) | No on-premises dependency; authentication is fully cloud-based |
| Performance & Latency | Adds latency due to redirection to external IdP | Faster authentication, as it happens directly in Entra ID |
| Security Features | Relies on external IdP for MFA, conditional access | Supports Microsoft Entra security features like MFA and Identity Protection |
| Use Case | Organizations with existing on-prem IdP or custom authentication needs | Organizations moving to a cloud-first strategy with fewer on-prem dependencies |
Why Convert from Federated to Managed Domain?
✅ Increased Reliability & Availability
- A federated setup depends on an on-premises IdP (e.g., ADFS). If it fails, users can’t authenticate.
- A managed domain eliminates this risk by using Microsoft Entra ID directly.
✅ Better Performance
- Federated authentication redirects users to an external IdP, causing latency.
- Managed authentication is faster since it directly handles authentication in Microsoft Entra ID.
✅ Enhanced Security
- Federated authentication relies on ADFS or external IdPs for security features like MFA and conditional access.
- Managed authentication allows you to use Microsoft Entra’s built-in security controls.
✅ Lower Costs & Simpler Management
- No need to maintain ADFS servers, licenses, or external IdPs.
- Reduces administrative overhead and security risks.
Pre-Requisites for Converting Federated Domain to Managed Domain
Before converting, ensure you have:
✅ Microsoft Entra Connect Installed – This ensures synchronization between on-prem AD and Entra ID.
✅ Password Hash Synchronization (PHS) or Pass-Through Authentication (PTA) Enabled – Choose one authentication method before migration.
✅ Seamless SSO Configured (If needed) – Allows automatic sign-in to cloud apps.
✅ Backup Admin Accounts – Create break-glass accounts (cloud-only accounts with Global Admin roles) to prevent lockout.
✅ Test Users – Before full migration, a pilot test (staged rollout) with a few users.
✅ Update User Communication – Inform employees about login changes.
✅ Review Conditional Access Policies – Ensure MFA and security policies are aligned post-migration.
Migration Process Flow
Caution – Things to Consider Before Migrating
⚠️ User Experience Change – Users may no longer see their familiar ADFS login page. Communicate the users before the migration.
⚠️ Conditional Access Policies – Ensure policies are pre-configured and correctly applied post-migration.
⚠️ Application Compatibility – Some apps may require additional configuration if they were integrated with ADFS.
⚠️ Rollback Plan – If issues arise, you may need to revert back to federated authentication from cloud authentication.
⚠️ Enable staged rollout feature – It is optional, but recommended method to verify cloud authentication (PHS/PTA) for set of users /groups before you convert the federated domains to managed domain.
How to Convert a Federated Domain to a Managed Domain?
To convert a federated domain to a managed domain in Microsoft Entra ID, you can use either the Microsoft Graph PowerShell module or the MSOnline module. Below are the steps for both methods:
Method 1: Using Microsoft Graph PowerShell Module
✔️ Step 1: Install the Microsoft Graph PowerShell SDK
If you haven’t installed the Microsoft Graph PowerShell SDK, open PowerShell with administrative privileges and run:
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph✔️ Step 2: Connect to Microsoft Entra ID
Establish a connection to Microsoft Entra ID (formerly Azure Active Directory):
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"You’ll be prompted to authenticate. Use your Microsoft Entra ID administrator (GA) credentials.
✔️ Step 3: Check the Current Authentication Method of the Domains
To list all domains and their authentication methods:
Get-MgDomain | Select-Object Id, AuthenticationTypeThis command will display each domain’s ID and its authentication type (Managed or Federated).
✔️ Step 4: Convert a Federated Domain to a Managed
To convert a specific domain from federated to managed:
Update-MgDomain -DomainId "yourdomain.com" -AuthenticationType ManagedReplace "yourdomain.com" with the domain you wish to convert.
✔️ Step 5: Verify the Conversion
After conversion, verify that the domain’s authentication type is now managed:
Get-MgDomain -DomainId "yourdomain.com" | Select-Object Id, AuthenticationTypeEnsure the AuthenticationType is set to Managed.
Method 1: Using Microsoft Graph PowerShell Module
In addition to using the Microsoft Graph PowerShell module, you can convert a federated domain to a managed domain using the MSOnline module. Here’s a step-by-step guide:
✔️ Step 1: Install the MSOnline Module
Run the following PowerShell command:
Install-Module MSOnline✔️ Step 2: Connect to Microsoft Entra ID
Establish a connection to Microsoft Entra ID:
Import-Module MSOnline
Connect-MsolServiceYou’ll be prompted to enter your administrator (Global Admin) credentials.
✔️ Step 3: Check Current Authentication Method of Domains
To list all domains and their authentication methods:
Get-MsolDomain | Select-Object Name, AuthenticationThis command will display each domain’s name and its authentication type (Managed or Federated).
✔️ Step 4: Convert a Federated Domain to Managed
To convert a specific domain from federated to managed:
Set-MsolDomainAuthentication -DomainName "yourdomain.com" -Authentication ManagedReplace "yourdomain.com" with the domain you wish to convert.
✔️ Step 5: Verify the Conversion
After conversion, verify that the domain’s authentication type is now managed:
Get-MsolDomain -DomainName "yourdomain.com" | Select-Object Name, AuthenticationIt should now show Authentication is set to Managed.
✅ Test sign-ins at https://myapps.microsoft.com or try accessing any app integrated with Entra ID.
✅ It should be authenticated through Entra ID. Check authentication logs in Microsoft Entra Sign-in Logs.
✔️ Step 6: Finally Remove ADFS Dependencies
- Disable ADFS Login for your domain.
- Decommission ADFS servers if not needed.
- Update login settings in Microsoft Entra ID.
Final Thoughts – Should You Move to a Managed Domain?
✅ Move to a Managed Domain if:
- You want faster, more secure, and cost-effective authentication.
- You aim to eliminate on-prem dependencies like ADFS.
- You want built-in security features like Microsoft Entra MFA and Conditional Access.
❌ Stay with Federated Domains if:
- You must use custom authentication rules via an external IdP.
- Compliance requires on-prem authentication policies.
Migrating from federated to managed authentication is a strategic move toward a cloud-first, secure identity solution. So it should be well planned and executed as mentioned in this guide.