1. Home
  2. Guidance
  3. General Guidance
  4. Active Directory Federation Services (ADFS) to Microsoft Entra ID App Migration | Admin Guide
Searching...

Active Directory Federation Services (ADFS) to Microsoft Entra ID App Migration | Admin Guide

Contents

This article provides information to Local Administrators (LAs) and/or App Owners of organisations with App registered with ADFS for authentication and authorisation.

IMPORTANT NOTE: A series of communications will be sent out to App Owners appearing in our data to guide them in smooth migration. However, it is responsibility of each organisation to review their App and migrate to Microsoft Entra ID to utilise this window for extensive support.

A dedicated service support will be available to organisations between 6 March 2025 to 2 May 2025.

Overview

NHS.net Connect (formerly NHSmail) is undergoing a major digital transformation to modernise its infrastructure and enhance service delivery. This transformation includes several key workstreams aimed at optimising its hybrid environment.

The objective of this limited service is to provide support to those organisations with Apps registered in ADFS to migrate them into Microsoft Entra ID.

To support this process, a Microsoft Teams-based Message Bot will be introduced to help App owners with the migration, as well as a dedicated support via Helpdesk.

Why a Microsoft Teams Bot?

The introduction of the Bot is a strategic choice to enhance the efficiency and clarity of the migration process:

  • Automation: The Bot automates repetitive tasks such as App ownership verification, migration decision-making, and App registrations in Entra ID
  • Consistency and Accuracy: Standardised communication through the Bot ensures all App owners receive clear and uniform instructions, minimising miscommunication
  • Proactive Follow-Ups: The Bot sends reminders and status updates to keep the migration process on track, reducing the need for manual intervention from IT support teams
  • User-Friendly Experience: Delivering instructions and collecting information directly within Microsoft Teams allows users to engage easily and efficiently without switching platforms.

Timelines

As this is a limited service, Both the Chatbot and dedicated support via helpdesk will be available from 6 March 2025 to 2 May 2025.

How does it work?

App owners will receive a Bot message via Microsoft Teams; we encourage them to answer the basic questions when prompted:

1. Confirm the App ownership:

a. Select the Ownership button only if you are the owner of the App.

b. If you are not the owner, provide the correct owner to ensure a smooth transition.

c. If you’re unsure about the App owner, please select No in the ownership confirmation option and leave the email field blank.

2. Provide the ODS code for your App

NOTE: For Organisation’s details, including ODS codes, please contact a Local Administrator in your organisation or use the ODS Data Search tool: https://www.odsdatasearchandexport.nhs.uk/

3. Migration decision:

a. App owners must confirm whether they want to migrate the App to Microsoft Entra ID

b. If selected Yes, the Bot will proceed to create a new App registration in Microsoft Entra ID

c. If selected No, the App will be set as Out of Scope for this migration

4. Cutover change planning

a. Plan for an App cutover change following your organisation’s process

b. Please take in consideration any potential disruption to users/systems

c. Take note of existing ADFS App registration details in case a rollback is required

5. New App registration details:

a. A new App registration will be created in Microsoft Entra ID without any action needed by you

b. App owner will receive its registration details when successfully created in Microsoft Entra ID by the Bot, including:

      1. App name
      2. App URI & attributes
      3. App secret (if applicable)

c. Confirms the cutover date using the BOT

IMPORTANT NOTE: Save this information securely, as it will not be accessible in the chat once the form is submitted.

6. Cutover change execution

a. Proceed with the change using the new App registration details

b. Once completed, confirm back via the BOT the cutover change was implemented

NOTE: If the cutover change is delayed, the Bot will ask to choose a further cutover date – this is for tracking purposes only.

Key Process Steps

Step 1: App owners will receive a Bot message via Microsoft Teams – please read the message and App details and proceed to fill in the form:

 

 

  • Confirm whether you are the owner (Yes/No)
  • If you are not the owner, type in an @nhs.net email address of the correct owner
  • Confirm the App needs to be migrated from ADFS to Microsoft Entra ID (Yes/No)
  • Type in the ODS of your organisation for security checks
  • Click on Submit

Step 2:  Plan for an App cutover change following your organisation’s process, taking in consideration any potential disruption to users/systems. We strongly suggest retaining existing ADFS App registration details in case a rollback is required.

Step 3: App owners will receive another message with new App registration details in Microsoft Entra ID.

 

 

  • Take note of Entra ID App Name, App URI/ID, Attributes, App Secret and save them in a secure place (ie. vault)
  • Confirms the cutover date
  • Click on Submit

Step 4: Proceed with the cutover change using the new App registration details. Once completed, confirm back via the BOT the cutover change was implemented.

 

 

  • If the cutover is now completed, click on Complete
  • If the cutover is delayed, click on Delayed and provide a new Cutover date
  • If the cutover is still in progress, click on In Progress; please note App owners will receive another notification in 24hrs

FAQs

1. What happens if an App Owner does nott respond to the Bot messages?

The Bot will send reminders through Microsoft Teams messages prompting the App owner to take action.​

Action for App Owner: When the Bot message is received, please respond as soon as possible to avoid delays in the migration process.

2. What should an App owner do if they believe they are not the correct owner?

If an App owner receives a message for an App they do not own, they should use the dedicated field in the Bot message to provide the correct App owner’s details. This information will be sent to the IT team, who will redirect the message to the correct person.​

Action for App Owner: Fill out the field in the Bot message with the correct App owner’s details to ensure the message is properly redirected.​

3.Which ODS code should the Application Owner select in the response?

The Application Owner should provide the current ODS code in the BOT message, regardless of any future plans for its relocation or changes.

4. How long is the migration window for?

The migration window is open between  6 March 2025, until 2 May 2025. During this period, App Owner will receive Bot messages to initiate and complete the migration process.​

Action for App Owner: Plan your cutover activities within this migration window to avoid any service disruptions.​

5.What happens during the migration window?

During the migration window, the Microsoft Teams Bot will contact App Owners to start the migration. Once the App Owner has confirmed they are the correct owner, the App will be automatically registered in Microsoft Entra ID. The Bot will then prompt the App Owner to suggest a suitable Cutover date that has been agreed within the organisation. After completing the migration, the App Owner must confirm the migration status via the Bot.​

6.What happens when the migration window finishes?

If the organisation’s migration is not completed by 28 April 2025, the Bot will no longer send prompts, and the dedicated support will finish. There is a risk of service disruption if your App is not migrated on time.

Action for App Owner: Complete the migration before the deadline to avoid service disruptions.

7.What happens if the App owner registered in ADFS no longer works for the NHS anymore or is an Application Account?

If the registered App owner is no longer with the NHS, the Bot will still attempt to contact them. If there is no response, our Support resource will initiate a manual process to identify the new App owner and/or contact a Primary Administrator (PLA) in their organisation.

Action for App Owner: If you are an App owner but have not received a Bot message, please contact helpdesk@nhs.net to update the App ownership records.

8. How does an App Owner provide confirmation once migration is completed?

Once an App Owner has completed their migration then they can mark the migration as ‘Complete’ in the Bot

Action for App Owner: After completing the migration, ensure you confirm the migration status in the Bot.

9. How do I raise a ticket with NHSmail helpdesk?

If you are having issues that can’t be resolved using this guidance, please send an email to the NHS.net Connect helpdesk to raise an incident, attaching the below information:

  • Name and email address of the Local Administrator (LA)
  • Organisation and/or ODS code
  • App Name
  • App URI
  • Confirm if the App requires a certificate/secret
  • Any additional notes

Last Reviewed Date 13/03/2025
Updated on 13/03/2025
Tagged:

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top