Currently and in the past I have done a number of ADFS to Azure AD authentication projects, where authentication is moved to Password Hash Sync (PHS) & Seamless SSO or Pass Through Authentication (PTA) including sSSO.
First of all you should know your environment when starting removing services. I assume, that you’re aware of the server that are joined to your ADFS farm. If not, STOP here and start over :-). No, you can use PowerShell to get a list of your servers and specially the primary server of your farm. Run that on one of your ADFS hosts:
Make sure you have migrated all authentications to Azure and you have disbled the relying party trusts for a while now. This gives you the certainty that no authentication flow still passed your ADFS environment.
You should also consider the “Application” logs on each of your ADFS server. Filter them by using “AD FS, AD FS Auditing, AD FS Tracing and ADHealth-Adfs” to confirm no auth-flow runs over ADFS.
If you still see failing authentications going over your farm, make sure they get migrated to Azure before you remove your ADFS servers. Also have a look into the Application and Services Log/ADFS/Admin. If all is clear, you can start decommissioning your farm.
On your primary ADFS server check the certificate sharing containers as you will need that later to remove it within ADSI. Do that before you removing the ADFS farm.
Remove the WAP Servers
Login to each WAP server, open the Remote Access Management Console and look for published web applications. Remove any to ADFS related that are not being used any more. Make a note of the URL that you are removing – its very likely that this means you can remove the same name from public and private DNS as well once the service is no longer needed. You can accomplish this by using PowerShell:
If you need an alternate solution for Remote Access Management and WAP, have a look into Azure Application Proxy
Remove ADFS Server
On your second host start PowerShell and remove the ADFS Trust incl. the Windows Internal Database Feature (If not needed for other stuff). Run the command and reboot the server:
Also remove the ADFS database on the local system by running the command bellow. This will clear the folder with the ADFS database and logs.
Clean-up some more ADFS Stuff
Do not forget to remove:
– Internal and external ADFS specific DNS records
– Load Balancer configurations for ADFS Farm
– Firewall rules between Internet, Load Balancer, DMZ and ADFS Servers
– Revoke certificates if no longer needed
– Service accounts, Group Managed Service Accounts
– Remove IIS on the ADFS Server and/or decommissioning the Windows Server itself
If you have removed all ADFS Servers from your forest, you are now save to remove the ADSI entries under for the Certificate Sharing Container within ADSI edit: CN=Microsoft,CN=Program Data,DC=domain,DC=local
All done. Hope this helps!