SharePoint 2013 ADFS User MIgration

Question

We want to migrate all of our users in SharePoint to ADFS. Our farm has 22 site collections. I have a script that uses Move-SPUser to migrate each user. We have over 7,000 accounts to migrate and I wanted to know exactly what this command is doing.

For instance, does it "replace" all the users in the user profile service and in all the site collection user information lists, as well as setting all the direct permissions and SP groups? Or, does it just "update" this information in the user information list (thereby maintaining the existing permissions), add the new profile to the UPS, then delete the old one?

Also, does the command hit every site collection in the web app or does something need to be done at each one?

[Edit: I verified when you use Move-SPUser, the user account in all the user information lists (if it exists) of all site collections is updated to the new account.

I am trying to determine our risk factor with migrating so many users at one time. If the command is executing all kinds of complicated logic all over in SharePoint, we might choose to do small blocks of users over a period of time so we can test them. We just didn't want users to have to select between NTML and ADFS when they open SharePoint, and that would be the case temporarily until the migration is complete.

Lastly, is this command pretty reliable?

Any information is appreciated.

Answer 1

There are several "gotchas" with Move-SPUser, particularly when it comes to system accounts (object cache, search crawler, etc.). For user accounts, it is a fairly straightforward process. The big thing to nail down is "How is the user name changing?" in the associated claim from your STS (e.g. I was CONTOSO\Scott in the past, but now in AD FS my identifier claim is scott@contoso.com).

For several migrations in the past, I've gone with targeting the execution of Move-SPUser to subsets of users (filtering by a given OU in Active Directory or some other filter). A sample script would be:

asnp Microsoft.SharePoint.Powershell -EA 0 
Import-Module ActiveDirectory

$web = "https://www.contoso.com"
$windowsClaimPrefix = "i:0#.w|"
$acsClaimPrefix = "i:0e.t|acsidentifier|"
$domainPrefix = "contoso\"
$containerOU = "OU=Users,DC=contoso,DC=com"

Get-SPUser -Web $web -Limit All | 
ForEach-Object { 
    if ($_.UserLogin.ToString().Contains($windowsClaimPrefix)) { 
        $currentSPLogin = $_.UserLogin.ToString().Replace($windowsClaimPrefix,"").Replace($domainPrefix,"")
        #$mail = "*$($currentSPLogin)*"
        if ($_.Email.Length -gt 0) {
            $user = Get-ADUser -Filter { mail -eq $_.Email } -SearchBase $containerOU
            if ($user) {  
                $newUserAlias = $acsClaimPrefix + $user.UserPrincipalName
                Write-Output "Login: $($_.UserLogin)/UPN: $($user.UserPrincipalName)/New Alias:$($newUserAlias)"
                $_ | Move-SPUser -NewAlias $newUserAlias -IgnoreSID -Confirm:$false
            }
        }
    }
}

Don't forget you'll most likely need to migrate groups as well.