Decommission on-prem federation servers

Implementation Effort: Medium – Federation infrastructure can be decommissioned after dependent applications and services are migrated, requiring targeted actions from infrastructure and identity teams.

User Impact: Low – Users are not directly impacted if application migration and cutover to Entra ID have already been completed.

Overview

Decommissioning on-premises federation servers, such as AD FS, after application migration is complete involves retiring infrastructure components no longer in use. This includes updating DNS records, removing federation trust configurations, and shutting down AD FS servers. With authentication duties fully transitioned to Microsoft Entra ID, this step helps eliminate legacy components that pose operational and security risks.

This activity supports the Zero Trust principle of Assume breach by reducing the attack surface—on-prem federation services are a common target for lateral movement and persistence by threat actors. It also improves security posture by ensuring authentication is centralized in Entra ID, where Conditional Access policies and monitoring can be uniformly applied, contributing to Verify explicitly.

If this step is skipped, organizations retain unnecessary legacy infrastructure, increasing their exposure to vulnerabilities and incurring ongoing maintenance costs for systems no longer serving a critical function.

Reference

• Active Directory Federation Services (AD FS) decommission guide
• AD FS Decommission Reference
• Migrate from federation to cloud authentication in Microsoft Entra ID
• AD FS to Microsoft Entra FAQ