Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Decommission ADFS Office 365 After Migrating to Azure AD

  • October 28, 2021
  • 7 min read
Cloud and Virtualization Architect. Paolo is a System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, and author of the virtualization blog nolabnoparty.com
Cloud and Virtualization Architect. Paolo is a System Engineer, VCP-DCV, vExpert, VMCE, Veeam Vanguard, and author of the virtualization blog nolabnoparty.com

ADFS

If the Azure-based AD authentication is fully working after migrating from ADFS, you need to decommission ADFS since it is no longer required in your network.

Before proceeding with the decommission procedure, you need to make sure that no services are still using ADFS.

Check the ADFS usage

Before proceeding with ADFS decommission, make sure the procedure to migrate ADFS to Azure AD has been completed and tested.

From the ADFS Server, open the ADFS Console and go to Service > Relying Party Trusts. Make sure the only Microsoft Office 365 identity Platform is listed. If other services are present, you need to dismiss them before proceeding with ADFS decommission. Microsoft Office 365 identity Platform is no longer used if you migrated to Azure AD authentication.

ADFS Console

Run the following command to check if the domain is no longer Federated but Managed instead. If you migrated to Azure AD authentication, the domain should be indicated as Managed.

Managed

Decommission ADFS

To decommission the ADFS infrastructure you need to perform two main tasks:

  • uninstall the WAP Server
  • uninstall the ADFS Server

Uninstall the WAP Server

Access the Remote Access Management Console and locate published applications. Delete any ADFS related items no longer used. Right-click the application to remove then select Remove.

Remote Access Management Console

The application has been removed.

The application has been removed

The Web Application Proxy can be now removed from the server. Open the Server Manager and select Managed > Remove Roles and Features.

Server Manager

Click Next.

Remove Roles and Features

Make sure Select a server from the server pool option is enabled then click Next.

Select a server from the server pool

Select Web Application Proxy and click Remove Features from the wizard.

Web Application Proxy

Ensure Web Application Proxy is unchecked then click Next.

Click Next

Uncheck RAS Connection Manager Administration Kit (CMAK) and click Next.

RAS Connection Manager Administration Kit (CMAK)

Click Remove.

Click Remove

The feature is being removed from the server.

Removal progress

Click Close and restart the server to complete the removal.

Restart the server

Since the WAP Server is no longer necessary it can be decommissioned.

Uninstall the ADFS Server

If you have multiple ADFS Servers, start to process the secondary nodes first. From the Server Manager, select Manage > Remove Roles and Features.

Remove Roles and Features

Click Next.

Click Next

Make sure Select a server from the server pool option is selected then click Next.

Select a server from the server pool

Uncheck Active Directory Federation Services role and click Next.

 Active Directory Federation Services

Uncheck Windows Internal Database feature and click Next.

Windows Internal Database

Enable Restart the destination server automatically if required and click Yes to confirm.

Restart the destination server automatically if required

Click Remove to uninstall selected items.

Click Remove

Features are removed from the server.

Features are removed from the server

The server reboots automatically. Login again and click Close to exit the wizard.

The server reboots automatically

To clean up the system, go to C:\Windows\WID\Data folder and delete all Adfs* files. Select the files to remove, right-click the selection then click Delete.

To clean up the system

 

Again, if the ADFS Server is no longer required you can safely decommission it.

Clean up the environment

Open Active Directory Users and Computers and expand Domain > Program Data > Microsoft item. You may need to enable Advanced from Action menu to display Program Data. Right-click ADFS and select Delete.

Active Directory Users and Computers

Click Yes to confirm.

Confirm Subtree Deletion

 

To finalize the cleanup process, make sure to remove the following:

  • Remove all the related ADFS entries from public and private DNS.
  • Remove the ADFS service account from Active Directory.
  • Remove Internet to WAP and WAP to ADFS firewall rules (TCP 443) and NAT settings.

The ADFS infrastructure has been decommissioned and all the authentication processes are managed directly in Azure AD.

Found Paolo’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!