Convert Office 365 Domain to Managed

Introduction

You are required to convert office 365 domain to managed when you have issues with federated domain or federation provider. We can leverage cloud based identities, synced identities or federated identities to authenticate in Office 365. This blog post is focused on converting the federated domain to managed in Office 365 when you have issues with your ADFS deployment or you are looking at taking off your federation with Office 365. Federated Identities also known as Single Sign on allows you to setup a token based authentication for your organization. If you have setup Single sign on with ADFS and ADFS infrastructure is being removed for any reason before Office 365 single sign on is turned off and ADFS is not restored then your users will not be able to login to Office 365 to access the services.

I have seen that companies setup Azure AD Connect to sync password hash with office 365 as backup to their single sign-on authentication but it doesn’t work until you convert the domain to managed in Office 365. The reason it does not work is because when a user enter his username in Office 365, Office 365 will redirect the user to ADFS login page due to the property being setup on domain name as “Federated Domain“. If you don’t have time or plan to restore ADFS services, you are required to convert office 365 domain to managed domain so users can login and access the workload.

Domain should be converted to Managed if SSO provider is not functional otherwise users will not be able to login to Office 365

Convert Office 365 Domain to Managed

To convert a federated domain to managed domain in office 365. You are required to perform the following steps.

  • Connect to Office 365 with powershell using global admin credentials. Run the following cmdlet to connect with Office 365. When the cmdlet prompts you for credentials, type your Office 365 Global admin credentials

Connect-MsolService

Convert Office 365 Domain to Managed

  • Convert your domain from a federated domain to a managed domain by running the cmdlet

Set-MsolDomainauthentication –Authentication Managed –DomainName “msexperttalk.com”

Convert Office 365 Domain to Managed

  • To verify that you have successfully converted the domain to managed, run the following cmdlet

Get-MsolDomain

This cmdlet will list all the domains in Office 365 and along with their authentication methods being setup.

Convert Office 365 Domain to Managed

 

Once you have converted the domain to federated, next step is to ensure that the users password has been synchronized from on-premises active directory to Office 365. To synchronize the on-premises user password hash to office 365. You need to enable password sync in Azure AD Connect and perform a full sync for the first time. For more information on Office 365 Single Sign on or Azure AD Connect deployment, please go to the following articles.

Single Sign on with Office 365

Single Sign on with Office 365

Single Sign on with office 365 is mostly used by organization to provide seamless experience to their end users. This article will help you setting up Single Sign on with office 365 using ADFS 3.0. Before we start setting up Single Sign on with office 365 using ADFS 3.0, let’s review few important per-requisites for SSO.

You can also download the complete guide on Setting up Single Sign on with office 365 from Technet

  1. You need internet route-able domain name to setup SSO. e.g. contoso.com, mstechtalk.com etc
  2. SSL Certificate from public certificate authorities like GoDaddy
  3. Office 365 global admin permission
  4. Service account for ADFS 3.0
  5. Web Application Proxy
  6. AAD Sync tool to synchronize identities with Office 365

If you have a internal domain name which is not routeable to the internet then you will have to add a custom UPN suffix that matches external name space. You can add UPN Suffix to your forest by following the instructions provided on Microsoft Knowledge Base.

Lab Details

Currently i’ve the following infrastructure in my lab for setting up Single Sign on with Office 365.

  • 2 x Windows Server 2012 R2 Domain controller (Domain Name: enpointelab.net)
  • 1 x Azure AD Sync tool
  • 1 x Windows 2012 R2 servers for ADFS 3.0 in production zone
  • 1 x windows 2012 R2 servers in DMZ for Web Application Proxy

Let’s get started with the lab and setup Single Sign on with office 365.

Activate Single Sign on

Before we start installing ADFS 3.0, we need to first enable Single Sign on in office 365. To activate single sign on in office 365 follow the steps as shown below.

****Before we start this step i assume you’ve already setup your office 365 tenant and configured your custom domain in office 365******

To activate Single Sign on, Go to Office 365 portal –> Active Users –> Click on Set Up as shown below

Single Sign on with office 365 Single Sign on with Office 365

Once you’re done with your planning & preparation for single sign on, move on to 2nd Step and deploy your ADFS servers.

Create SSL Certificate Request for AD FS 3.0

Before we start installing and configuring AD FS 3.0 for Single Sign on, Let’s first create the SSL certificate request to procure a SSL certificate from public authority like GoDaddy.

****I’ve procured my SSL certificate from GoDaddy for this lab****

To create a SSL certificate request, Go to MMC Console

1

Click on Add/Remove Snap-in and Select Certificate and click on Add button

 

2

Select Computer Account and click next

3

Right click on Personal –> All Tasks –> Advanced Options –> Create Custom Request

4

Certificate enrollment wizard will start, click on Next

5

Click Next

6

Click Next

7

Click Next8

Click on Details9

Click on Properties10

Enter friendly name of your certificate.  Click Subject Tab

12

From the drop down menu, select Common name and provide the value and click on Add button

13

Click on Private key tab14

Select Key Size and checkbox for “Make Private Key exportable” and click on Apply and hit OK.

15

Click Next

16

Click Finish. Copy the request file and provide to your SSL certificate provider and procure the certificate. Once procured, complete the certificate request.

Import SSL Certificate

Once you got the certificate from public DNS provider. Go to mmc –> Add/Remove Snap-in –> Certificate –> Computer Certificate –>

Personal –> Right click –> All Tasks –> Import

1

2

3

4

5

6

Installing AD FS 3.0

To install AD FS 3.0, Go to Server Manager –> Add roles and Features

3

4

5

6

7

7

1

2

3

4

We’re done with the installation of our first ADFS 3.0 server.

Configure AD FS 3.0

As we’re done with the installation of AD FS 3.0 on first server, lets follow the steps to configure AD FS 3.0

Go to server Manager –> Click Configure the Federation Service on this Server

1

2

3

4

5

6

We’re using Windows Internal Database for AD FS deployment, WID can support up to 5 AD FS servers in AD FS server farm and use SQL Express 2012 with a limitation of 10 GB database size.

7

8

9

10

Your ADFS 3.0 server is installed and configured now. To test your ADFS deployment, please go to https://fs.mydomain.com/adfs/ls/IdpInitiatedSignon.aspx. I’ve created “A” record in my DNS for “FS” pointing to ADFS server. After installing the 2nd ADFS server, I’ll add that server to my load balancer as well.

1 Read more