Office 365 converting domain from Federated to standard

 

If you are using a Federated domain with your Office 365 there may be occasions when you would want to convert your domain back to a Standard or Managed domain type. The two reasons for doing this I can think of are:

1. There is a temporary problem with your ADFS infrastructure and you want to switch back to using Password Sync (using DirSync) while the problem is resolved.

2. You are moving away from using ADFS for some reason and want to go back to using Password Sync (Using DirSync) for your users logging into Office 365.

When I was looking for guidance on doing the 2nd option there seemed to be some a lot of confusing information so I have summarised what I found and the steps I took.

In both cases you will first need to connect to your Office 365 tenant to make the changes. I usually do this from the ADFS computer as it will already have the tools installed I need.

  1. Click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. Run the following commands in the order in which they are presented. Press Enter after you type each command.
    1. $cred = Get-Credential
      When you are prompted, enter Office 365 administrator credentials that are not SSO-enabled. (e.g. something that ends in @mydomain.onmicrosoft.com)
    2. Connect-MsolService –credential $cred
    3. Set-MsolADFSContext –Computer <AD FS 2.0 server name>

Now that you have connected you are ready to run the Convert-MSOLDomainToStandard cmdlet with the required switches shown below

For temporarily disabling Federation run:

Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $true -PasswordFile c:userpasswords.txt

For permanently disabling Federation run:

Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:userpasswords.txt

Note the difference between these two commands is the “SkipUserConversion $true/false”. When it is false thistells powershell to also convert your users from federated to standard while converting your domain. The password file is where the users’ temporary passwords will be saved – you won’t need the file since you’ll be syncing AD passwords over to O365, but it’s required as part of the conversion process that they be issued these temporary passwords.

Be aware that when running the cmdlet with SkipUserConversation $false this can take a while to execute, it took over 1 hour for around 3000 users so plan accordingly as until this and the next steps are complete users will NOT be able to log into their Office 365 account.

If you have chosen to permanently remove Federation then you should now run a full password sync, this is because right now all your users will have temporary passwords assigned as part of running the Convert-MSOLDomainToStandard cmdlet. By triggering a full Password Sync to re-synchronize all DirSync’ing user passwords there normal Active Directory passwords will be synced back into Office 365 and they will then be able to log in normally.

Trigger a full Password Sync

  1. On your DirSync machine, run the following .psc1: C:Program FilesWindows Azure Active Directory SyncDirSyncConfigShell.psc1
  2. In the Powershell console that loads, run the Set-FullPasswordSync cmdlet
  3. Load Services.msc
  4. Restart the Forefront Identity Manager Synchronization Service Service.
  5. Once this is complete, you should see a series of EventId=656 (Password Sync Requests) and EventId=657 (Password Sync Results) indicating that your full password sync has kicked off.

Once all this is complete you may need to wait up to 2 hours before all the changes are fully synchronised but after that users should be able to log into their Office 365 account again.

2 Comments

  1. Good walkthrough.
    Have You also considered the scenario when moving to pure cloud users, that is event deleting the local AD account after migration?
    Lets says you perform the steps above, but consider that the final dirsync is only to give the migrated users 90 Days with their familiar AD credentials instead of forcing everybody to change overnight.
    How can You actually convert a Federated user to a cloud user AND remove them from the dirsync scope while retaining their cloud user and its mailbox?

    • That sounds like quite an advanced and unusual scenario and not one I have come across before so I couldn’t say really. Perhaps Office 365 support could give you some guidance on it

Comments are closed