Migration from 1 IdP to another

Question

Hi All,

We recently migrated from one IdP to another and are having some trouble with seamless SSO. We have are a Hybrid environment with Entra connect sync.

Issues we are noticing:

• We seem to notice that users are not receiving the AzurePRT token from Entra ID and are unable to verify their credentials
• This is also causing issues with device registration in Entra as it seems that although the device is being registered, because of the user not receiving the PRT token it is not completing correctly and enrolling into Intune.

What we did when we federated to new IdP:

• Federated to new IdP on a domain controller via Powershell
• Updated the Intranet zone via GPO
• Reconfigured Entra Connect with new IdP

Do we need to do anything with the AzureADSSO account?

Do we need to include OIDC or SAML in the app registration in Microsoft Entra ID?

Do we need to update the decryption key for AzureADSSO account?

Any help on this will be greatly appreciated.

Answer 1

Hello @Khezar Butt ,

Thank you for Reaching out Microsoft Q&A.

I Understand that you recently migrated from one IdP to another and you are having some trouble with seamless SSO. You have Hybrid environment with Entra connect sync.

You Noticed that users are not receiving the AzurePRT token from Entra ID and are unable to verify their credentials.If you suspect that a PRT problem exists, I recommend that you first collect Microsoft Entra logs, and follow the steps that are outlined in the troubleshooting checklist. For Trouble shooting steps please check with the document: https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-primary-refresh-token#troubleshooting-checklist

As you mentioned that you migrated to the another IDP if it is third party identity provider it needs to support the WS-Trust protocol to enable PRT issuance on Windows 10 or newer devices.

Hope this helps. If you have any further questions or need additional assistance, please don’t hesitate to reach out.