Convert Office 365 Domain to Managed

Introduction

You are required to convert office 365 domain to managed when you have issues with federated domain or federation provider. We can leverage cloud based identities, synced identities or federated identities to authenticate in Office 365. This blog post is focused on converting the federated domain to managed in Office 365 when you have issues with your ADFS deployment or you are looking at taking off your federation with Office 365. Federated Identities also known as Single Sign on allows you to setup a token based authentication for your organization. If you have setup Single sign on with ADFS and ADFS infrastructure is being removed for any reason before Office 365 single sign on is turned off and ADFS is not restored then your users will not be able to login to Office 365 to access the services.

I have seen that companies setup Azure AD Connect to sync password hash with office 365 as backup to their single sign-on authentication but it doesn’t work until you convert the domain to managed in Office 365. The reason it does not work is because when a user enter his username in Office 365, Office 365 will redirect the user to ADFS login page due to the property being setup on domain name as “Federated Domain“. If you don’t have time or plan to restore ADFS services, you are required to convert office 365 domain to managed domain so users can login and access the workload.

Domain should be converted to Managed if SSO provider is not functional otherwise users will not be able to login to Office 365

Convert Office 365 Domain to Managed

To convert a federated domain to managed domain in office 365. You are required to perform the following steps.

  • Connect to Office 365 with powershell using global admin credentials. Run the following cmdlet to connect with Office 365. When the cmdlet prompts you for credentials, type your Office 365 Global admin credentials

Connect-MsolService

Convert Office 365 Domain to Managed

  • Convert your domain from a federated domain to a managed domain by running the cmdlet

Set-MsolDomainauthentication –Authentication Managed –DomainName “msexperttalk.com”

Convert Office 365 Domain to Managed

  • To verify that you have successfully converted the domain to managed, run the following cmdlet

Get-MsolDomain

This cmdlet will list all the domains in Office 365 and along with their authentication methods being setup.

Convert Office 365 Domain to Managed

 

Once you have converted the domain to federated, next step is to ensure that the users password has been synchronized from on-premises active directory to Office 365. To synchronize the on-premises user password hash to office 365. You need to enable password sync in Azure AD Connect and perform a full sync for the first time. For more information on Office 365 Single Sign on or Azure AD Connect deployment, please go to the following articles.

Security Vulnerability in AD FS 3.0

Security Vulnerability in AD FS 3.0

Security Vulnerability in AD FS 3.0

April 2015, Microsoft has released an important security update for ADFS 3.0 in Security Bulletin which prevent you from security breach reported in ADFS 3.0. Security Vulnerability in AD FS 3.0 was found which helped hackers / intruders to gain access of your application using the existing token.

According to the Microsoft Security Bulletin MS15-040 the vulnerability allows an attacker to gain access to your application using ADFS 3.0 SSO like Office 365. The flaw is with the logoff process of ADFS 3.0 which didn’t could allow intruder to reuse the existing token to access the application. The log off failed allowing an intruder to reuse the existing token to access the application as the user.

This security update resolves a vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off.

The Security bulletin claims that Microsoft has no knowledge of any cases where this vulnerability was exploited and i hope no one is impacted or could be impacted and everyone can patch their ADFS servers as i did my servers before writing up this article 🙂

Detail information on security bulletin can be found on Technet.  Be safe 🙂