If you are using a Federated domain with your Office 365 there may be occasions when you would want to convert your domain back to a Standard or Managed domain type. The two reasons for doing this I can think of are:
1. There is a temporary problem with your ADFS infrastructure and you want to switch back to using Password Sync (using DirSync) while the problem is resolved.
2. You are moving away from using ADFS for some reason and want to go back to using Password Sync (Using DirSync) for your users logging into Office 365.
When I was looking for guidance on doing the 2nd option there seemed to be some a lot of confusing information so I have summarised what I found and the steps I took.
In both cases you will first need to connect to your Office 365 tenant to make the changes. I usually do this from the ADFS computer as it will already have the tools installed I need.
- Click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
- Run the following commands in the order in which they are presented. Press Enter after you type each command.
- $cred = Get-Credential
When you are prompted, enter Office 365 administrator credentials that are not SSO-enabled. (e.g. something that ends in @mydomain.onmicrosoft.com)
- Connect-MsolService –credential $cred
- Set-MsolADFSContext –Computer <AD FS 2.0 server name>
- $cred = Get-Credential
Now that you have connected you are ready to run the Convert-MSOLDomainToStandard cmdlet with the required switches shown below
For temporarily disabling Federation run:
Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $true -PasswordFile c:userpasswords.txt
For permanently disabling Federation run:
Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:userpasswords.txt
Note the difference between these two commands is the “SkipUserConversion $true/false”. When it is false thistells powershell to also convert your users from federated to standard while converting your domain. The password file is where the users’ temporary passwords will be saved – you won’t need the file since you’ll be syncing AD passwords over to O365, but it’s required as part of the conversion process that they be issued these temporary passwords.
Be aware that when running the cmdlet with SkipUserConversation $false this can take a while to execute, it took over 1 hour for around 3000 users so plan accordingly as until this and the next steps are complete users will NOT be able to log into their Office 365 account.
If you have chosen to permanently remove Federation then you should now run a full password sync, this is because right now all your users will have temporary passwords assigned as part of running the Convert-MSOLDomainToStandard cmdlet. By triggering a full Password Sync to re-synchronize all DirSync’ing user passwords there normal Active Directory passwords will be synced back into Office 365 and they will then be able to log in normally.
Trigger a full Password Sync
- On your DirSync machine, run the following .psc1: C:Program FilesWindows Azure Active Directory SyncDirSyncConfigShell.psc1
- In the Powershell console that loads, run the Set-FullPasswordSync cmdlet
- Load Services.msc
- Restart the Forefront Identity Manager Synchronization Service Service.
- Once this is complete, you should see a series of EventId=656 (Password Sync Requests) and EventId=657 (Password Sync Results) indicating that your full password sync has kicked off.
Once all this is complete you may need to wait up to 2 hours before all the changes are fully synchronised but after that users should be able to log into their Office 365 account again.