Published Sept. 22,/2023
This article explains how to use Azure Active Directory Staged Rollout with your MTR resource account. This applies to resource accounts used for Teams Rooms on Android and Teams Rooms on Windows devices.
Scenario: Your company does not want to create ‘cloud only’ accounts, or .onmicrosoft.com accounts. They want all accounts to be created onprem in Active Directory and then synchronized to the cloud. This allows you to maintain full control of the account in onprem Active Directory.
Goal: You want to follow Microsoft’s guidance. You need to have the MTR account bypass all onprem Identity solutions, such as Active Directory Federation Services (ADFS) or other 3rd party Identity solutions that provide the same functionality. The MTR account should authenticate directly to Azure AD, like a ‘cloud only’ account does.
Solution: Configure Staged Rollout of Cloud Authentication. This configuration essentially achieved the goal of Microsoft’s recommendation. A ‘cloud only’ account authenticates the same way as an on-premise synced account that is configured for Staged Rollout.
- Azure AD Connect (now called Entra Connect) server must be configured to use Password Hash Sync
2. Your Azure Active Directory tenant is configured to use Staged Rollout, which allows some accounts to authenticate directly to the Azure AD, if they are put into the AAD group that is associated.
For more information, watch this video on steps to configure this How to configure staged rollout in Azure Active Directory
UNSURE?? If you are not sure if you need to do this, you can check your MTR account with this PowerShell cmdlet. Your deployment engineer or admin may have modified your synchronized MTR account and turned it into a true ‘cloud only’ account by removing the ImmutableId.
To check the status of your MTR account use the ‘Get-MsolUser -UserPrincipalName user@domain.com | fl’ cmdlet and look for the ImmutableId. If the ImmutableId is present, this means the account is still being synchronized from onprem AD using Azure AD Connect. So this account is NOT a ‘cloud only’ account. This also means that onprem AD is still in full control of this account and any changes to the account in AD, will be synced up to the cloud via Azure AD Connect.
If the ImmutableId is not present, this account has been turned into a true ‘cloud only’ account and you do not need to add this account to a Staged Rollout group.
Testing and Troubleshooting:
After you have implemented Staged Rollout of Cloud Authentication, this is how you test it to make sure its working.
- You want to check the federation status of the MTR resource account using this URL, which we can see, it is bypassing ADFS and authenticating directly to Azure AD. https://login.microsoftonline.com/common/UserRealm?api-version=1.0&user=avaya1@sfbteams.com
- To be sure, test this with a similar URL using your own account or a fake account with the same domain suffix, https://login.microsoftonline.com/common/UserRealm?api-version=1.0&user=user@sfbteams.com. We see that other accounts using that domain suffix are being routed through ADFS for authentication.
Microsoft Guidance for onprem Active Directory accounts used with MTR’s, does not speak to this. However, onprem AD accounts that are synchronized to the cloud are supported per this document. https://learn.microsoft.com/en-us/microsoftteams/rooms/create-resource-account?tabs=m365-admin-center%2Cactive-directory1-password
NOTE: This has not been tested in GCC, GCC-H or DOD tenants. It is unknown if it will work in those environments.