### Create Custom Migration Ready Applications Function Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/module-overview.md An example of extending the module by creating a custom function. This function filters the test results to only include applications that are ready for migration (ResultType::Pass). ```powershell function Get-MigrationReadyApplications { param([string]$RPXMLDirectory) $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory $RPXMLDirectory $results | Where-Object { $_.Result -eq [ResultType]::Pass } } ``` -------------------------------- ### Define Test Functions for Migration Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/helper-functions.md Defines an array of test function names to be executed. This example shows a partial list, with a note indicating that 14 more functions are included in the full set. Ensure all function names are valid and exported, and that each function accepts a single -ADFSRelyingPartyTrust parameter and returns a MigrationTestResult object. ```powershell $functionsToRun = @( "Test-ADFSRPAdditionalAuthenticationRules", "Test-ADFSRPAdditionalWSFedEndpoint", "Test-ADFSRPAllowedAuthenticationClassReferences", # ... 14 more test functions ... "Test-ADFSRPEncryptedNameIdRequired" ) ``` -------------------------------- ### Send ADFS Analysis Results to Monitoring System with PowerShell Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Analyze all RP trusts and format the results into JSON for sending to a monitoring system API. This example demonstrates data formatting for systems like Datadog or New Relic. ```powershell # Analyze all trusts $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Format for your monitoring system (example: Datadog, New Relic, etc.) foreach($result in $results) { $data = @{ application = $result.'RP Name' migration_status = $result.Result signed_saml = $result.'Test-ADFSRPSignedSamlRequestsRequired' custom_lifetime = $result.'Test-ADFSRPTokenLifetime' timestamp = Get-Date -Format 'o' } | ConvertTo-Json # Send to API endpoint # Invoke-RestMethod -Uri "https://monitoring/api/adfs" -Body $data -Method Post } ``` -------------------------------- ### Performance Monitoring with PowerShell Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Measure the performance of ADFS to AAD on-premises RP trust analysis by recording start and end times and calculating the rate of analysis. ```powershell $startTime = Get-Date $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" -Verbose $duration = (Get-Date) - $startTime $appsPerSecond = $results.Count / $duration.TotalSeconds Write-Host "Analysis completed in $($duration.TotalMinutes) minutes" Write-Host "Rate: $([math]::Round($appsPerSecond, 2)) apps/second" ``` -------------------------------- ### Test Single Relying Party Trust Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-test-single-rp.md This snippet shows how to import the necessary module, retrieve a specific relying party trust by name, test it using `Test-ADFS2AADOnPremRPTrust`, and view the overall and specific test results. It also includes an example of exporting the results to a CSV file and testing from a previously exported XML file. ```powershell # Import the module Import-Module .\ADFSAADMigrationUtils.psm1 # Test a single relying party trust from the live ADFS server $trust = Get-AdfsRelyingPartyTrust -Name "MyApplication" $result = Test-ADFS2AADOnPremRPTrust -ADFSRPTrust $trust # View the overall result $result.Result # Returns: Pass, Warning, or Fail # View specific test results $result.'Test-ADFSRPSignedSamlRequestsRequired' # Fails if app requires signed SAML requests $result.'Test-ADFSRPEncryptClaims' # Fails if claims encryption is enabled # Export results to CSV for analysis $result | Export-Csv -Path "migration_analysis.csv" # Or test from previously exported XML file $trust = Import-Clixml -Path "C:\ADFS\apps\RPT - MyApplication.xml" $result = Test-ADFS2AADOnPremRPTrust -ADFSRPTrust $trust ``` -------------------------------- ### Setting Migration Test Result in PowerShell Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/types.md Example of how to instantiate a MigrationTestResult object and set its Result property to Fail in PowerShell. This is used within test functions to indicate migration compatibility issues. ```powershell $testResult = New-Object MigrationTestResult $testResult.Result = [ResultType]::Fail $testResult.Message = "SAML request signing is required, which is not supported by Azure AD" ``` -------------------------------- ### Generate Summary Statistics for Migration Readiness Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md This script provides a summary of migration readiness by counting applications in 'Pass', 'Warning', and 'Fail' states, along with their percentages. It also lists the counts of applications failing specific blocking issues. ```powershell $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Count by status $pass = ($results | Where-Object { $_.Result -eq [ResultType]::Pass }).Count $warning = ($results | Where-Object { $_.Result -eq [ResultType]::Warning }).Count $fail = ($results | Where-Object { $_.Result -eq [ResultType]::Fail }).Count $total = $results.Count Write-Host "Migration Readiness Summary:" Write-Host " Pass: $pass ($([math]::Round($pass/$total*100, 1))%)" Write-Host " Warning: $warning ($([math]::Round($warning/$total*100, 1))%)" Write-Host " Fail: $fail ($([math]::Round($fail/$total*100, 1))%)" Write-Host " Total: $total" # Show top blocking issues $blockingIssues = @( 'Test-ADFSRPSignedSamlRequestsRequired', 'Test-ADFSRPTokenLifetime', 'Test-ADFSRPAlwaysRequireAuthentication', 'Test-ADFSRPAdditionalWSFedEndpoint' ) foreach($issue in $blockingIssues) { $count = ($results | Where-Object { $_.$issue -eq [ResultType]::Fail }).Count if($count -gt 0) { Write-Host "$issue: $count apps" } } ``` -------------------------------- ### Generate Custom Result Summary Report Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Create a detailed JSON summary report of application migration readiness by analyzing test results. This script categorizes applications and identifies top blocking issues. ```powershell $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Create a custom summary object $summary = [PSCustomObject]@{ TotalApplications = $results.Count ReadyNow = ($results | Where-Object { $_.Result -eq [ResultType]::Pass }).Count RequiresChanges = ($results | Where-Object { $_.Result -eq [ResultType]::Warning }).Count CannotMigrate = ($results | Where-Object { $_.Result -eq [ResultType]::Fail }).Count TopBlockingIssues = @() } # Find top blocking issues $issueTests = @( 'Test-ADFSRPSignedSamlRequestsRequired', 'Test-ADFSRPTokenLifetime', 'Test-ADFSRPEncryptClaims', 'Test-ADFSRPAlwaysRequireAuthentication' ) foreach($test in $issueTests) { $failCount = ($results | Where-Object { $_.$test -eq [ResultType]::Fail }).Count if($failCount -gt 0) { $summary.TopBlockingIssues += [PSCustomObject]@{ Test = $test AffectedApps = $failCount } } } $summary | ConvertTo-Json | Out-File "migration_summary.json" ``` -------------------------------- ### Project File Structure Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/MANIFEST.md This is a representation of the project's directory and file structure, indicating the purpose and size of each file. ```text output/ ├── 00-START-HERE.txt ..................... Quick orientation (203 lines) ├── MANIFEST.md ........................... This file ├── README.md ............................. Overview (311 lines) ├── INDEX.md .............................. Master index (344 lines) ├── api-reference-export.md ............... Export function (64 lines) ├── api-reference-test-single-rp.md ...... Single trust test (128 lines) ├── api-reference-test-rp-set.md ......... Batch test (162 lines) ├── module-overview.md ................... Architecture (229 lines) ├── test-functions.md .................... All 17 tests (418 lines) ├── api-reference-claim-rules.md ......... Claim analysis (240 lines) ├── types.md ............................. Data types (146 lines) ├── errors.md ............................ Errors & troubleshooting (176 lines) ├── helper-functions.md .................. Helpers (278 lines) └── usage-examples.md .................... Examples (360 lines) Total: 13 files, 3,060 lines ``` -------------------------------- ### Find Applications Ready for Migration Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md This script analyzes ADFS configurations and filters the results to identify applications that can migrate without any changes. It displays the count of such applications and shows their names in a grid view. ```powershell $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Filter to Pass results only $readyToMigrate = $results | Where-Object { $_.Result -eq [ResultType]::Pass } Write-Host "Applications ready to migrate: $($readyToMigrate.Count)" $readyToMigrate | Select-Object 'RP Name' | Out-GridView ``` -------------------------------- ### Test RP Trusts from JSON File Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-test-rp-set.md Tests RP trusts using an alternative source, a JSON file. It demonstrates how to view detailed results for only the failed applications and how to count applications with specific blocking issues, such as requiring SAML request signing. ```powershell # Or test from JSON file (alternative source) $results = Test-ADFS2AADOnPremRPTrustSet -RPJSONFilePath "C:\ADFS\rps.json" # View detailed results for failed applications $results | Where-Object { $_.Result -eq 'Fail' } | Select-Object 'RP Name', 'Result' # Get count of applications with specific blocking issue $signedSamlFails = $results | Where-Object { $_.'Test-ADFSRPSignedSamlRequestsRequired' -eq 'Fail' } Write-Host "Applications requiring SAML request signing: $($signedSamlFails.Count)" ``` -------------------------------- ### Adding Custom Rule Patterns Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/helper-functions.md Demonstrates how to add support for new ADFS claim rule patterns by defining them in a collection and then using them in a test function. This allows for custom rule analysis beyond predefined patterns. ```powershell $IssuanceTransformMigratableRules["My Pattern"] = @" my pattern text with __ANYVALUE__ placeholders "@ ``` ```powershell Test-ADFSRPRuleset ` -RulesetName "IssuanceTransform" ` -ADFSRuleSet $ADFSRelyingPartyTrust.IssuanceTransformRules ` -KnownRules $IssuanceTransformMigratableRules ` -ResultTypeIfUnknownPattern Warning ``` -------------------------------- ### Export ADFS Configuration to Zip Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/module-overview.md Exports the ADFS configuration to a zip file on the ADFS server. This is the first step in the migration process. ```powershell Import-Module .\ADFSAADMigrationUtils.psm1 Export-ADFS2AADOnPremConfiguration ``` -------------------------------- ### Helper Functions Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/MANIFEST.md Utility functions for common tasks within the deployment plans. ```APIDOC ## Remove-InvalidFileNameChars ### Description Removes invalid characters from file names. ### Purpose This helper function sanitizes strings to be used as valid file names. ### Parameters (No specific parameters documented in the source) ### Returns (No specific return type documented in the source) ### Example ```powershell Remove-InvalidFileNameChars -FileName "My:File?Name.txt" ``` ``` ```APIDOC ## Invoke-TestFunctions ### Description Invokes test functions. ### Purpose This function is a general utility to trigger various test functions. ### Parameters (No specific parameters documented in the source) ### Returns (No specific return type documented in the source) ### Example ```powershell Invoke-TestFunctions ``` ``` -------------------------------- ### Test RP Trusts from XML Directory Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-test-rp-set.md Imports the module and tests all RP trusts from an exported XML directory. Results are then exported to a CSV file for analysis in Excel. This snippet also shows how to calculate and display summary statistics (Pass, Warning, Fail counts). ```powershell # Import the module Import-Module .\ADFSAADMigrationUtils.psm1 # Test all trusts from exported XML directory $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Export all results to CSV for use in Excel workbook $results | Export-Csv -Path "C:\ADFS\ADFSRPConfiguration.csv" -NoTypeInformation # View summary statistics $passCount = ($results | Where-Object { $_.Result -eq 'Pass' }).Count $warningCount = ($results | Where-Object { $_.Result -eq 'Warning' }).Count $failCount = ($results | Where-Object { $_.Result -eq 'Fail' }).Count Write-Host "Pass: $passCount, Warning: $warningCount, Fail: $failCount" ``` -------------------------------- ### Regex Escape and Placeholder Replacement Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-claim-rules.md Demonstrates how regex special characters in a pattern are escaped and the `__ANYVALUE__` placeholder is replaced with `.*` for accurate regex matching. ```powershell # Original pattern $pattern = 'c:[Type == "__ANYVALUE__"]' # After escape and replacement $regex = 'c: \[Type == .* \]' ``` -------------------------------- ### Explore ADFS Migration Results Interactively with Out-GridView Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Loads ADFS migration results and displays them in an interactive grid view for filtering and sorting. Allows selection of a single row for detailed list-based output. Requires the 'Microsoft.PowerShell.Utility' module. ```powershell # Load results $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Show in Out-GridView for interactive filtering and sorting $results | Select-Object 'RP Name', 'Result', 'Test-ADFSRPSignedSamlRequestsRequired', 'Test-ADFSRPTokenLifetime', 'Test-ADFSRPEncryptClaims' | Out-GridView -Title "ADFS to Azure AD Migration Analysis" # Double-click a row to select it $selected = $results | Out-GridView -Title "Select application for detailed analysis" -OutputMode Single # Show detailed results for selected app $selected | Format-List ``` -------------------------------- ### Export ADFS Configuration to ZIP Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-export.md Imports the necessary module and then exports all ADFS Relying Party Trusts and Claims Provider Trusts to XML files, which are then packaged into a ZIP archive. The resulting files are located in `C:\ADFS\apps\` and the ZIP archive is at `C:\ADFS\zip\ADFSApps.zip`. Requires administrator privileges and must be run on an ADFS server. ```powershell # Import the module Import-Module .\ADFSAADMigrationUtils.psm1 # Export all ADFS configuration Export-ADFS2AADOnPremConfiguration # The resulting files will be in C:\ADFS\apps\ # The ZIP archive will be at C:\ADFS\zip\ADFSApps.zip ``` -------------------------------- ### Debug Empty Results with PowerShell Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Use these PowerShell commands to verify files, load them manually, and test ADFS to AAD on-premises RP trust configurations when results are empty. ```powershell # Verify files exist Get-ChildItem "C:\ADFS\apps" -Filter "*.xml" | Measure-Object # Try loading one file manually $test = Import-Clixml "C:\ADFS\apps\RPT - TestApp.xml" $test | Get-Member # Verify structure # Test with single file $result = Test-ADFS2AADOnPremRPTrust -ADFSRPTrust $test $result.Result # Should show Pass/Warning/Fail ``` -------------------------------- ### Analyze ADFS Configuration Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Transfer the exported zip file to an analysis workstation, extract it, and then run this script to analyze all exported trusts. The results can be exported to a CSV file for further analysis in Excel. ```powershell # Transfer C:\ADFS\zip\ADFSApps.zip to analysis workstation # Extract to C:\ADFS\apps\ # On workstation with ADFS PowerShell module installed: Import-Module .\ADFSAADMigrationUtils.psm1 # Analyze all exported trusts $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Export results for Excel $results | Export-Csv "C:\ADFS\ADFSRPConfiguration.csv" -NoTypeInformation ``` -------------------------------- ### Analyze ADFS Claim Rules Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-claim-rules.md This snippet demonstrates how to define known patterns, sample claim rules, and then use Invoke-ADFSClaimRuleAnalysis to analyze them. It shows how to view the analysis results, including whether a rule matches a known pattern and any extracted AD attributes. ```powershell # Define a simple set of known patterns $knownPatterns = @{ "Extract from AD" = @" c:[Type == "__ANYVALUE__", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = (__ANYVALUE__), query = ";__ANYVALUE__;{0}", param = c.Value); "@; "Permit All" = 'issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");' } # Sample claim rules to analyze $ruleSet = @" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";givenName;{0}", param = c.Value); c:[Type == "http://schemas.xmlsoap.org/claims/Group"] => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim"); "@ # Analyze the rules $analysis = Invoke-ADFSClaimRuleAnalysis ` -RuleSetName "IssuanceTransform" ` -ADFSRuleSet $ruleSet ` -KnownRules $knownPatterns # View results $analysis | Select-Object Rule, IsKnownRuleMigratablePattern, KnownRulePatternName, ADAttributes ``` -------------------------------- ### Test Single Trust from Live ADFS Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Test the migration readiness of a single relying party trust directly from a live ADFS server. This allows for granular testing and viewing detailed messages. ```powershell # On ADFS server, test a single application $trust = Get-AdfsRelyingPartyTrust -Name "Salesforce" $result = Test-ADFS2AADOnPremRPTrust -ADFSRPTrust $trust # View overall status Write-Host "Salesforce Migration Status: $($result.Result)" # Check specific tests $result.'Test-ADFSRPSignedSamlRequestsRequired' # Fail? $result.'Test-ADFSRPEncryptClaims' # Pass? # View detailed messages Write-Host $result.Messages ``` -------------------------------- ### Pipeline Processing of ADFS Trusts Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/module-overview.md Demonstrates how to pipe ADFS relying party trusts through a test function and export the results to a CSV file. This showcases the module's pipeline-friendly design. ```powershell Get-AdfsRelyingPartyTrust | Test-ADFS2AADOnPremRPTrust | Export-Csv results.csv ``` -------------------------------- ### Analyze Custom Claim Rules Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md This script finds applications with custom claim transformation rules that are not set to 'Pass'. It lists the applications and their custom rule status, and exports this information to a CSV file for detailed review. ```powershell $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Find applications with custom claim transformation rules $customRules = $results | Where-Object { $_.'Test-ADFSRPIssuanceTransformRules' -ne [ResultType]::Pass } foreach($app in $customRules) { Write-Host "App: $($app.'RP Name')" Write-Host " Status: $($($_.'Test-ADFSRPIssuanceTransformRules'))" } # Export custom rules for detailed review $customRules | Select-Object 'RP Name', 'Test-ADFSRPIssuanceTransformRules' | Export-Csv "custom_rules.csv" ``` -------------------------------- ### Claim Rule Pattern with Wildcard Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-claim-rules.md Defines a claim rule pattern using `__ANYVALUE__` for wildcard matching. The `__ANYVALUE__` placeholder is later converted to a `.*` regex. ```powershell $pattern = @" c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Value == "__ANYVALUE__"] => issue(Type = "__ANYVALUE__", Value = "true"); @" ``` -------------------------------- ### Find Applications with Specific Blocking Issues Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md This script identifies applications that have specific blocking issues, such as requiring signed SAML requests. It counts the number of applications affected by the specified issue and lists their names. ```powershell $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Find all apps requiring signed SAML requests $signedSamlFails = $results | Where-Object { $_.'Test-ADFSRPSignedSamlRequestsRequired' -eq [ResultType]::Fail } Write-Host "Apps requiring signed SAML requests: $($signedSamlFails.Count)" foreach($app in $signedSamlFails) { Write-Host " - $($app.'RP Name')" } ``` -------------------------------- ### Remediation Tracking for Application Migration Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Track remediation efforts by comparing an initial baseline of migration issues against subsequent test runs. This helps quantify the number of issues resolved. ```powershell # Baseline analysis $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" $baseline = $results | Where-Object { $_.Result -ne [ResultType]::Pass } # Save for comparison $baseline | Export-Csv "baseline_issues.csv" # After remediation efforts... $results2 = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" $resolved = $baseline | Where-Object { ($results2 | Where-Object { $_.'RP Name' -eq $_.PSObject.Properties['RP Name'].Value }).Result -eq [ResultType]::Pass } Write-Host "Issues resolved: $($resolved.Count) out of $($baseline.Count)" ``` -------------------------------- ### Find Blocking Issues in ADFS Apps Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/README.md Loads ADFS application configurations and filters for those with signed SAML requirements that are marked as a blocker. Also groups results by their test status. ```powershell # Load results $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Find apps with signed SAML requirement (blocker) $results | Where-Object { $_.'Test-ADFSRPSignedSamlRequestsRequired' -eq 'Fail' } | Select-Object 'RP Name' # Count by status $results | Group-Object Result | Select-Object Name, Count ``` -------------------------------- ### Test-ADFS2AADOnPremRPTrustSet Cmdlet Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-test-rp-set.md The Test-ADFS2AADOnPremRPTrustSet cmdlet enumerates ADFS Relying Party trusts, tests their compatibility with Azure AD, and collects the results. It can process trusts from a directory of XML files or a single JSON file. ```APIDOC ## Test-ADFS2AADOnPremRPTrustSet ### Description Tests ADFS to Azure AD on-premises RP trusts. This cmdlet can process trusts from a directory of XML files or a single JSON file. It enumerates trusts, tests each one using `Test-ADFS2AADOnPremRPTrust`, collects results, and returns them as a sorted array. ### Parameters #### Parameters - **RPXMLFileDirectory** (string) - Optional - Specifies the directory containing XML files with RP trust configurations. - **RPJSONFilePath** (string) - Optional - Specifies the path to a JSON file containing RP trust configurations. The JSON file should have a 'Rows' property containing an array of RP objects. ### Behavior 1. **XML Path Processing**: If `RPXMLFileDirectory` is used, the cmdlet enumerates all files in the specified directory, loads each file using `Import-Clixml`, displays progress, and calls `Test-ADFS2AADOnPremRPTrust` for each trust. All results are collected. 2. **JSON Path Processing**: If `RPJSONFilePath` is used, the cmdlet reads the JSON file, extracts the `Rows` property, and iterates through each RP configuration. It maps complex properties, normalizes boolean values, and calls `Test-ADFS2AADOnPremRPTrust` for each JSON RP object. All results are collected. ### Output Generation The cmdlet returns an array of result objects sorted by RP name. These results can be exported to CSV for analysis, and aggregate statistics (Pass/Warning/Fail counts) can be computed. ### Request Example ```powershell # Import the module Import-Module . # Test all trusts from exported XML directory $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" # Export all results to CSV for use in Excel workbook $results | Export-Csv -Path "C:\ADFS\ADFSRPConfiguration.csv" -NoTypeInformation # View summary statistics $passCount = ($results | Where-Object { $_.Result -eq 'Pass' }).Count $warningCount = ($results | Where-Object { $_.Result -eq 'Warning' }).Count $failCount = ($results | Where-Object { $_.Result -eq 'Fail' }).Count Write-Host "Pass: $passCount, Warning: $warningCount, Fail: $failCount" # Or test from JSON file (alternative source) $results = Test-ADFS2AADOnPremRPTrustSet -RPJSONFilePath "C:\ADFS\rps.json" # View detailed results for failed applications $results | Where-Object { $_.Result -eq 'Fail' } | Select-Object 'RP Name', 'Result' # Get count of applications with specific blocking issue $signedSamlFails = $results | Where-Object { $_.'Test-ADFSRPSignedSamlRequestsRequired' -eq 'Fail' } Write-Host "Applications requiring SAML request signing: $($signedSamlFails.Count)" ``` ### Response #### Success Response Returns an array of result objects, each containing details about the RP trust test. The array is sorted by RP name. - **RP Name** (string) - The name of the Relying Party. - **Result** (string) - The outcome of the test (e.g., 'Pass', 'Warning', 'Fail'). - **[Other Test Specific Fields]** (string) - Fields specific to individual tests performed on the RP trust. #### Response Example ```json [ { "RP Name": "MyRP1", "Result": "Pass", "Test-ADFSRPSignedSamlRequestsRequired": "Pass", "Test-ADFS2AADOnPremRPTrust": "Pass" }, { "RP Name": "MyRP2", "Result": "Fail", "Test-ADFSRPSignedSamlRequestsRequired": "Fail", "Test-ADFS2AADOnPremRPTrust": "Pass" } ] ``` ``` -------------------------------- ### Diagnose Claim Rule Parsing Issues with PowerShell Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Import a trust with complex claim rules and analyze issuance transform rules directly using PowerShell for parsing issues. ```powershell # Import a trust with complex claim rules $trust = Import-Clixml "C:\ADFS\apps\RPT - ComplexApp.xml" # Analyze issuance transform rules directly Invoke-ADFSClaimRuleAnalysis ` -RuleSetName "IssuanceTransform" ` -ADFSRuleSet $trust.IssuanceTransformRules ` -KnownRules $IssuanceTransformMigratableRules | Select-Object Rule, IsKnownRuleMigratablePattern, ADAttributes ``` -------------------------------- ### Using ClaimRuleAnalysis in Migration Tests Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/types.md Demonstrates how to retrieve ClaimRuleAnalysis objects from a migration test result and filter them based on specific criteria, such as custom Active Directory attributes. ```powershell $testResult = Test-ADFSRPIssuanceTransformRules -ADFSRelyingPartyTrust $trust $ruleAnalyses = $testResult.Details["ClaimRuleProperties"] # Array of ClaimRuleAnalysis objects # Find all rules using custom AD attributes $customAttributes = $ruleAnalyses | Where-Object { $_.ADAttributes -contains 'customAttribute' } ``` -------------------------------- ### Migratable MFA Rules Hashtable Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/helper-functions.md Defines a hashtable containing template patterns for MFA rules that can potentially be migrated to Azure AD MFA or third-party MFA providers. Use this to identify and categorize MFA claim rules. ```powershell $MFAMigratableRules = @{ "MFA for a User" = "MFA for a Group" = "MFA for unregistered devices" = "MFA for extranet" = } ``` -------------------------------- ### Test ADFS Relying Party Trusts for Azure AD Migration Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/README.md Run this command on an analysis workstation to test multiple ADFS Relying Party Trusts. It accepts a directory containing XML files or a JSON file and returns an array of test results. ```powershell $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps" ``` -------------------------------- ### Test ADFS Not Before Skew Tolerance Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/test-functions.md Tests SAML token time skew tolerance by checking the `NotBeforeSkewDuration` property. Returns a warning if the time skew value is non-zero. Non-zero skew can cause token acceptance/rejection timing issues, while Azure AD uses fixed skew handling. ```powershell Test-ADFSRPNotBeforeSkew -ADFSRelyingPartyTrust ``` -------------------------------- ### Export ADFS Configuration Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Run this script on the primary ADFS server with administrative privileges to export all Relying Party and Claims Provider trusts. It creates XML files, a zip archive, and opens Windows Explorer to the zip directory. ```powershell # Run on the primary ADFS server with administrative privileges # Import the module Import-Module C:\path\to\ADFSAADMigrationUtils.psm1 # Export all Relying Party and Claims Provider trusts Export-ADFS2AADOnPremConfiguration # This creates: # - C:\ADFS\apps\ directory with individual .xml files # - C:\ADFS\zip\ADFSApps.zip with compressed backup # - Opens Windows Explorer to C:\ADFS\zip\ directory ``` -------------------------------- ### Import and Export ADFS Configuration Source: https://github.com/azuread/deployment-plans/blob/master/ADFS to AzureAD App Migration/Readme.md Imports the ADFS to Azure AD Migration PowerShell module and exports the on-premises ADFS configuration to XML files. Ensure the module is saved with a .psm1 extension. ```powershell ipmo .\ADFSAADMigrationUtils.psm1 Export-ADFS2AADOnPremConfiguration ``` -------------------------------- ### Empty Delegation Rules Hashtable Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/helper-functions.md An empty hashtable indicating that no delegation patterns are currently supported in Azure AD. This serves as a placeholder for future delegation rule definitions. ```powershell $DelegationMigratableRules = @{ } ``` -------------------------------- ### Migratable Impersonation Rules Hashtable Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/helper-functions.md Defines a hashtable containing template patterns for ADFS V2 proxy impersonation rules. Use this to identify and categorize impersonation claim rules for migration. ```powershell $ImpersonationMigratableRules = @{ "ADFS V2 - ProxySid by user" = "ADFS V2 - ProxySid by group" = "ADFS V2 - Proxy Trust check" = } ``` -------------------------------- ### Test ADFSRPIssuance Authorization Rules Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/test-functions.md Analyzes issuance authorization rules. These should be moved to Azure AD Conditional Access, as authorization logic must be reimplemented using Azure AD Conditional Access policies. ```powershell Test-ADFSRPIssuanceAuthorizationRules -ADFSRelyingPartyTrust ``` -------------------------------- ### Run ADFS Relying Party Trust Tests Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/helper-functions.md Execute a set of predefined test functions against an ADFS relying party trust. Ensure function names are valid and exported, and that each function accepts a single -ADFSRelyingPartyTrust parameter and returns a MigrationTestResult object. Invalid function names will cause exceptions. ```powershell $functionsToRun = @( "Test-ADFSRPAdditionalAuthenticationRules", "Test-ADFSRPEncryptClaims", "Test-ADFSRPSignedSamlRequestsRequired", "Test-ADFSRPTokenLifetime" ) $trust = Get-AdfsRelyingPartyTrust -Name "MyApp" $results = Invoke-TestFunctions -FunctionsToRun $functionsToRun -ADFSRelyingPartyTrust $trust # Results contains 4 MigrationTestResult objects foreach($result in $results) { Write-Host "$($result.TestName): $($result.Result)" } ``` -------------------------------- ### Test ADFSRP Delegation Authorization Rules Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/test-functions.md Analyzes delegation authorization rules. Azure AD does not support delegation, so these rules require alternative implementation via Azure AD Conditional Access or application-level logic. ```powershell Test-ADFSRPDelegationAuthorizationRules -ADFSRelyingPartyTrust ``` -------------------------------- ### Analyze ADFS Relying Party Trusts Source: https://github.com/azuread/deployment-plans/blob/master/ADFS to AzureAD App Migration/Readme.md Tests the configuration of ADFS relying party trusts by analyzing XML files. Specify the directory containing the exported XML configuration files. ```powershell Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\adfs\apps" ``` -------------------------------- ### Test ADFS Relying Party Trust Compatibility Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-test-single-rp.md Use this cmdlet to test the compatibility of a single ADFS Relying Party Trust for migration to Azure AD. It requires an ADFS Relying Party Trust object as input. ```powershell Test-ADFS2AADOnPremRPTrust -ADFSRPTrust [-Verbose] ``` -------------------------------- ### Test ADFSRP Additional Authentication Rules Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/test-functions.md Tests for custom additional authentication (MFA) rules that may require migration. Returns a Warning if an unknown MFA pattern is detected, otherwise Pass. ```powershell Test-ADFSRPAdditionalAuthenticationRules -ADFSRelyingPartyTrust ``` -------------------------------- ### Analyze ADFS Relying Party Trusts from Separate Server Source: https://github.com/azuread/deployment-plans/blob/master/ADFS to AzureAD App Migration/Readme.md Tests the configuration of ADFS relying party trusts by analyzing XML files from a separate server. Replace "" with the actual path to the unzipped XML files. ```powershell Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "" ``` -------------------------------- ### Batch Process Multiple ADFS Exports with Timestamps Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/usage-examples.md Iterates through a list of ADFS export directories, processes each one, and saves the results to timestamped CSV files. Useful for managing exports from different time periods. ```powershell $exportDirectories = @( "C:\ADFS_Export_20240101\apps", "C:\ADFS_Export_20240115\apps", "C:\ADFS_Export_20240201\apps" ) foreach($dir in $exportDirectories) { Write-Host "Processing $dir..." $timestamp = Split-Path $dir | Split-Path -Parent | Split-Path -Leaf $results = Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory $dir $results | Export-Csv "results_$timestamp.csv" -NoTypeInformation } ``` -------------------------------- ### MigrationTestResult C# Class Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/types.md Represents the outcome of a single migration compatibility test. Use this class to structure results from compatibility checks, including success status, object details, and any relevant messages or exceptions. ```csharp public class MigrationTestResult { public string TestName; public string ADFSObjectType; public string ADFSObjectIdentifier; public ResultType Result; public string Message; public string ExceptionMessage; public System.Collections.Hashtable Details; public MigrationTestResult() { Result = ResultType.Pass; Details = new System.Collections.Hashtable(); } } ``` -------------------------------- ### Test-ADFS2AADOnPremRPTrustSet Source: https://github.com/azuread/deployment-plans/blob/master/_autodocs/api-reference-test-rp-set.md Analyzes multiple ADFS Relying Party Trusts for migration compatibility using either a directory of XML exports or a JSON file. It provides progress tracking and detailed CSV-compatible output. ```APIDOC ## Test-ADFS2AADOnPremRPTrustSet ### Description Runs migration compatibility analysis against multiple ADFS Relying Party Trusts from either a directory of XML exports or a JSON file. Processes all trusts with progress tracking and produces detailed CSV-compatible output for Excel reporting. ### Method PowerShell Cmdlet ### Parameters #### Path Parameters - **RPXMLFileDirectory** (string) - Conditional - Full path to directory containing exported XML files. Use this parameter set when testing XML exports from `Export-ADFS2AADOnPremConfiguration`. - **RPJSONFilePath** (string) - Conditional - Full path to JSON file containing RP trust configurations. Alternative to XML directory. #### Query Parameters None #### Request Body None ### Request Example ```powershell Test-ADFS2AADOnPremRPTrustSet -RPXMLFileDirectory "C:\ADFS\apps\" Test-ADFS2AADOnPremRPTrustSet -RPJSONFilePath "C:\ADFS\RPTrusts.json" ``` ### Response #### Success Response (PSObject[]) An array of result objects, one for each Relying Party Trust tested. Each object contains properties from `Test-ADFS2AADOnPremRPTrust` plus aggregated claim rule analysis. #### Response Example ```json [ { "RPName": "ExampleRP", "MigrationStatus": "Compatible", "ClaimAnalysis": [ { "RuleName": "Rule1", "Status": "OK" } ] } ] ``` ```