You are required to convert office 365 domain to managed when you have issues with federated domain or federation provider. We can leverage cloud based identities, synced identities or federated identities to authenticate in Office 365. This blog post is focused on converting the federated domain to managed in Office 365 when you have issues with your ADFS deployment or you are looking at taking off your federation with Office 365. Federated Identities also known as Single Sign on allows you to setup a token based authentication for your organization. If you have setup Single sign on with ADFS and ADFS infrastructure is being removed for any reason before Office 365 single sign on is turned off and ADFS is not restored then your users will not be able to login to Office 365 to access the services.
I have seen that companies setup Azure AD Connect to sync password hash with office 365 as backup to their single sign-on authentication but it doesn’t work until you convert the domain to managed in Office 365. The reason it does not work is because when a user enter his username in Office 365, Office 365 will redirect the user to ADFS login page due to the property being setup on domain name as “Federated Domain“. If you don’t have time or plan to restore ADFS services, you are required to convert office 365 domain to managed domain so users can login and access the workload.
Domain should be converted to Managed if SSO provider is not functional otherwise users will not be able to login to Office 365
Convert Office 365 Domain to Managed
To convert a federated domain to managed domain in office 365. You are required to perform the following steps.
- Connect to Office 365 with powershell using global admin credentials. Run the following cmdlet to connect with Office 365. When the cmdlet prompts you for credentials, type your Office 365 Global admin credentials
- Convert your domain from a federated domain to a managed domain by running the cmdlet
Set-MsolDomainauthentication –Authentication Managed –DomainName “msexperttalk.com”
- To verify that you have successfully converted the domain to managed, run the following cmdlet
This cmdlet will list all the domains in Office 365 and along with their authentication methods being setup.
Once you have converted the domain to federated, next step is to ensure that the users password has been synchronized from on-premises active directory to Office 365. To synchronize the on-premises user password hash to office 365. You need to enable password sync in Azure AD Connect and perform a full sync for the first time. For more information on Office 365 Single Sign on or Azure AD Connect deployment, please go to the following articles.
- Step by Step guide to setup single Sign on with Office 365
- Azure AD Sync Installation Step by Step – Part 1
- Azure AD Sync Installation Step by Step – Part 2
- Azure AD Sync Installation Step by Step – Part 3
- Azure AD Sync Installation Step by Step – Part 4
- Azure AD Sync Installation Step by Step – Part 5