Cloud user authentication in Entra ID

My previous employer used PingID, and it was also used as the federated Identity Provider for its Microsoft 365 services. Aside from the support and licensing costs (it required a team of specialists to managed) and the advent of newer/better features in Entra ID, if I had the chance - this would be a great opportunity to migrate from PingID (and other federated IDPs for that matter).

Just a series of thoughts (notes to myself) I would go thru in such a theoretical migration

• Enable PHS (password hash sync), don't use PTA (pass-through authentication). With a Defender for Identity license this can allows detection of leaked credentials, which can be used as a signal in a CAP (conditional access policy) to enforce password change. Can potentially allow SSPR (self-service password reset) with password writeback - although I am on the fence on this one and would rather use the effort to deploy passwordless SSO (like WHfB and Platform SSO for Macs).
• In conjunction with PHS, roll out Seamless SSO.
• Migrate from Entra Connect Sync to Entra Cloud Sync. The former is single point of failure, the Cloud Sync has its configuration stored in the cloud, and multiple agents can be installed in on-premises servers. Note to self - check if this is compatible with staged rollout.
• Deploy Cloud Kerberos trust, there 2 other models: key and certificate, but this is simpler and easier.
  1. Device registration, existing or OOBE, user authenticates first using username/password. Device connects to SCP/AD-DS, device creates self-signed cert for AAD use. Self-signed cert goes to device's userCertificate property in AD-DS. Wait for AADC to sync userCertificate property of device to AAD/DRS. Device connects to AAD, checks if userCertificate is updated. Device auths to AAD using private key of self-signed cert, AAD gives ID_token. Device creates 2 keypairs dk/tk stored in TPM, sends to AAD as CSR with ID_token. AAD issues cert to device, device stores in cert-store. AADC replicates to AAD, AAD changes device to hybrid-joined.
  2. Provisioning, user sends credentials to AAD-DRS, performs MFA, DRS access toke returned. User enrolls biometrics, PIN+gesture, TPM/Enclave creates uk-pair, sends uk-pub+access-token+device-info to AAD. AAD writes uk-pub+device-info to msds-KeyCredentialLink. AAD sends KeyID back for success.
  3. Authentication, PIN+gesture unlock TPM/Enclave, send WHfB/Platform-SSO creds to AAD. AAD sends nonce to client, client signs with uk-priv, sends back to AAD. AAD sends PRT + encrypted session key + partial TGT to client. Client decrypts session-key and stores in TPM/Enclave. Client (when has line of sight to DC) finds DClocator and exchange partal-TGT for full-TGT.
• Use a staged rollout, use PHS+Seamless SSO. Allows both Entra-joined and Entra-hybrid to get a PRT/TGT, authN to cloud/on-premises, use klist and dsregcmd to view. Use GPO to add intranet URL https://autologon.microsoftazuread-sso.com. Set a monthly schedule to roll over kerberos key of AZUREADSSO computer account.
• If possible, make UPN and email the same.