Staged Rollout Cleanup After Federated-to-Managed Domain Migration – Is Group Removal Required and Will It Trigger User Reauthentication?

• After converting the domain from federated to managed, Staged Rollout is no longer needed and should be removed as part of cleanup. Guidance for MFA Server migration explicitly calls out converting federated domains to managed and removing the Staged Rollout configuration so new users use cloud authentication without needing to be added to migration groups.

  “You should now convert your federated domains in Microsoft Entra ID to managed and remove the Staged Rollout configuration. This conversion ensures new users use cloud authentication without being added to the migration groups.”

• Staged Rollout is designed only as a temporary testing mechanism, not as a permanent coexistence model. Leaving users/groups in Staged Rollout after the domain is fully managed is not supported as a long‑term configuration and can lead to unexpected authentication flows or failures, especially once the federated IdP (AD FS) is decommissioned.

  “Staged rollout is not designed to be a permanent configuration… Continuing to use staged rollout after migrating to managed authentication without a federated IdP in place can lead to unexpected authentication failures and degraded user experiences.”

  “We don't recommend using a permanent mixed state, because this approach could lead to unexpected authentication flows.”

• Impact of removing users/groups from Staged Rollout on sessions and reauthentication:
  • During normal Staged Rollout operation (while the domain is still federated), when a user is removed from a Staged Rollout group, they continue to use managed auth until they complete one more interactive sign‑in; after that, federation is re‑applied for future logins. This transition does not invalidate existing tokens immediately; it affects which IdP is used on the next interactive sign‑in.

    “When a user is removed from the SR group… they will continue to use managed authentication until they complete one more interactive sign-in. After that, federation is re-applied and future logins will redirect to the federated identity provider.”

  • After the domain is converted to managed, there is no longer a federated path to return to. Removing users/groups from Staged Rollout at that point does not introduce a new IdP or change from managed back to federated; authentication is already fully managed. Existing sessions and tokens continue to follow their normal lifetimes and Conditional Access/session policies. The documentation does not indicate any special token invalidation or forced sign‑out behavior tied specifically to Staged Rollout group removal in a fully managed state.
• Recommended cleanup pattern:
  1. Complete testing with Staged Rollout while the domain is still federated.
  2. Convert the domain to managed authentication.
  3. Leave Staged Rollout in place for a short period (24–48 hours) only if needed as part of rollback planning.
  4. Once confident no rollback is required and AD FS is being decommissioned, remove users/groups from Staged Rollout and turn it off.
  Migration best practices also recommend leaving rollback/Staged Rollout considerations only for a limited time after cutover, not permanently.

References:

• Migrate to cloud authentication using Staged Rollout
• Migrate to Microsoft Entra multifactor authentication and Microsoft Entra user authentication
• Best practices to migrate applications and authentication to Microsoft Entra ID
• Active Directory Federation Server to Microsoft Entra FAQ
• Migrate from federation to Microsoft Entra certificate-based authentication (CBA)