Merge pull request #834 from vimrang/vimrang-stagedrollout

Update concept-certificate-based-authentication-migration.md
MicrosoftDocs · Dec 13, 2023 · 16da852 · 16da852
2 parents cbfb115 + 4be7b5a
commit 16da852
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/docs/identity/authentication/concept-certificate-based-authentication-migration.md b/docs/identity/authentication/concept-certificate-based-authentication-migration.md
@@ -24,7 +24,15 @@ This article explains how to migrate from running federated servers such as Acti
 
 ## Staged Rollout 
 
-[Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md) helps customers transition from AD FS to Microsoft Entra ID by testing cloud authentication with selected groups of users before switching the entire tenant. 
+A tenant admin could cut the federated domain fully over to Entra ID CBA without pilot testing by enabling the CBA auth method in Entra ID and converting the entire domain to managed authentication. However if customer wants to test a small batch of users authenticate against Entra ID CBA before the full domain cutover to managed, they can make use of staged rollout feature.
+
+[Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md) for Certificate-based Authentication (CBA) helps customers transition from performing CBA at a federated IdP to Microsoft Entra ID by selectively moving small set of users to use CBA at Entra ID (no longer being redirected to the federated IdP) with selected groups of users before then converting the domain configuration in Entra ID from federated to managed. Staged rollout is not designed for the domain to remain federated for long periods of time or for large amounts of users.
+
+Watch this quick video demonstrating the migration from ADFS certificate-based authentication to Microsoft Entra CBA
+> [!VIDEO https://www.youtube.com/embed/jsKQxo-xGgA]
+
+>[!NOTE]
+> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Microsoft Entra ID. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
 
 ## Enable Staged Rollout for certificate-based authentication on your tenant
 
@@ -40,9 +48,6 @@ To configure Staged Rollout, follow these steps:
 
 For more information, see [Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md).
 
->[!NOTE]
-> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Microsoft Entra ID. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
-
 <a name='use-azure-ad-connect-to-update-certificateuserids-attribute'></a>
 
 ## Use Microsoft Entra Connect to update certificateUserIds attribute