Decommission ADFS Office 365 after migrating to Azure AD


If the Azure-based AD authentication is fully working after migrating from ADFS, you need to decommission ADFS since is no longer required in your network.

Before proceeding with the decommission procedure, you need to make sure that no services are still using ADFS.


Check the ADFS usage

Before proceeding with ADFS decommission, make sure the procedure to migrate ADFS to Azure AD has been completed and tested.

From the ADFS Server, open the ADFS Console and go to Service > Relying Party Trusts. Make sure the only Microsoft Office 365 identity Platform is listed. If other services are present, you need to dismiss them before proceeding with ADFS decommission. Microsoft Office 365 identity Platform is no longer used if you migrated to Azure AD authentication.

decommission adfs 1

Run the following command to check if the domain is no longer Federated but Managed instead. If you migrated to Azure AD authentication, the domain should be indicated as Managed.

decommission adfs 2


Decommission ADFS

To decommission the ADFS infrastructure you need to perform two main tasks:

  • uninstall the WAP Server
  • uninstall the ADFS Server


Uninstall the WAP Server

Access the Remote Access Management Console and locate published applications. Delete any ADFS related items no longer used. Right click the application to remove then select Remove.

decommission adfs 3

The application has been removed.

decommission adfs 4

This article has been written for StarWind blog and can be found in this page. It covers the full procedure to decommission ADFS Office 365 after migrating to Azure AD.


Cleanup the environment

Open Active Directory Users and Computers and expand Domain > Program Data > Microsoft item. You may need to enable Advanced from Action menu to display Program Data. Right click ADFS and select Delete.

decommission adfs 5

Click Yes to confirm.

decommission adfs 6

To finalize the cleanup process, make sure to remove the following:

  • Remove all the related ADFS entries from public and private DNS.
  • Remove the ADFS service account from Active Directory.
  • Remove Internet to WAP and WAP to ADFS firewall rules (TCP 443) and NAT settings.

The ADFS infrastructure has been decommissioned and all the authentication processes are managed directly in Azure AD.

Read the full article on StarWind blog.