Convert Office 365 Domain to Managed

Introduction

You are required to convert office 365 domain to managed when you have issues with federated domain or federation provider. We can leverage cloud based identities, synced identities or federated identities to authenticate in Office 365. This blog post is focused on converting the federated domain to managed in Office 365 when you have issues with your ADFS deployment or you are looking at taking off your federation with Office 365. Federated Identities also known as Single Sign on allows you to setup a token based authentication for your organization. If you have setup Single sign on with ADFS and ADFS infrastructure is being removed for any reason before Office 365 single sign on is turned off and ADFS is not restored then your users will not be able to login to Office 365 to access the services.

I have seen that companies setup Azure AD Connect to sync password hash with office 365 as backup to their single sign-on authentication but it doesn’t work until you convert the domain to managed in Office 365. The reason it does not work is because when a user enter his username in Office 365, Office 365 will redirect the user to ADFS login page due to the property being setup on domain name as “Federated Domain“. If you don’t have time or plan to restore ADFS services, you are required to convert office 365 domain to managed domain so users can login and access the workload.

Domain should be converted to Managed if SSO provider is not functional otherwise users will not be able to login to Office 365

Convert Office 365 Domain to Managed

To convert a federated domain to managed domain in office 365. You are required to perform the following steps.

  • Connect to Office 365 with powershell using global admin credentials. Run the following cmdlet to connect with Office 365. When the cmdlet prompts you for credentials, type your Office 365 Global admin credentials

Connect-MsolService

Convert Office 365 Domain to Managed

  • Convert your domain from a federated domain to a managed domain by running the cmdlet

Set-MsolDomainauthentication –Authentication Managed –DomainName “msexperttalk.com”

Convert Office 365 Domain to Managed

  • To verify that you have successfully converted the domain to managed, run the following cmdlet

Get-MsolDomain

This cmdlet will list all the domains in Office 365 and along with their authentication methods being setup.

Convert Office 365 Domain to Managed

 

Once you have converted the domain to federated, next step is to ensure that the users password has been synchronized from on-premises active directory to Office 365. To synchronize the on-premises user password hash to office 365. You need to enable password sync in Azure AD Connect and perform a full sync for the first time. For more information on Office 365 Single Sign on or Azure AD Connect deployment, please go to the following articles.

2 comments

  • First of all, thank you for this article. I have a question though. Other articles i’ve read, mention the below PowerShell example. Is this also part of the processs?

    Convert-MsoldomainToStandard -Domainname domain -SkipUserConversion $false -PasswordFile c:\domain_userpasswords.txt

    Are Convert-MsoldomainToStandard & Set-MsolDomainauthentication both required?

    • John,

      It depends on how you convert your domain. If your ADFS servers are up and running and be contacted then you can run Convert-MsolDomainToStandard but if your ADFS servers are down and unreachable then you’ll get an error message with Convert-MsolDomainToStandard. At that time you need to run Set-MsolDomainAuthentication cmdlet and that cmdlet will forcefully set the domain to managed from federated.