Convert a Federated Domain to a Standard Domain for AD FS Failover

By November 18, 2020Azure, Best Practices, Blog, Microsoft
Azure Active Directory Fixes, Tips, and Tricks

Ever wanted an AD FS failover option without the overhead of a fully redundant AD FS setup? Azure AD Connect Pass-through Authentication or Password Sync may fit that bill. In order to deploy either of these technologies you’ll have to convert your federated domain to a standard domain.

Overview

The Convert-MsolDomainToStandard cmdlet (command-let) converts the specified domain from single sign-on (AKA identity federation) to standard authentication. This process also removes the relying party trust settings in the AD FS server and online service. After the conversion, this cmdlet will convert all existing users from single sign-on to standard authentication.

What’s Needed Before you Begin

  • Estimated time to complete commands: 10 minutes
  • Conversation of domain and all users: It can take up to 2 hours for the domain conversation from federated to standard plus an additional hour for every 2000 users.
  • It is recommended to use a cloud only account for the MSOL commands.

Convert the Namespace

Run the following commands in the order in which they are presented. Press Enter after you type each command.

  1. $cred = Get-Credential
  • When you are prompted, enter Office 365 administrator credentials that are not SSO-enabled. We recommend a cloud only admin account here.
  1. Connect-MsolService –credential $cred
  2. Set-MsolADFSContext –Computer <AD FS server name>
  • In this command, the placeholder <AD FS server name> represents the name of the primary AD FS server.
  • If the AD FS server is on a remote server you must set the AD FS server context, if the AD FS server is local you can skip this step.
  1. Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\userpasswords.txt
  • Replace <federated domain name> represents the name of the domain you are converting.
  • This command removes the Relying Party Trust information from the Office 365 authentication system federation service and the on-premises AD FS federation service.  The -PasswordFile parameter indicates the path of the text file that contains the newly created temporary password of each formerly federated user’s account and must not exist before calling the cmdlet.

Notes

If you are temporarily switching to use synchronized passwords while you are repairing your SSO infrastructure, set –SkipUserConversion to be $true.

If you are permanently decommissioning your SSO Infrastructure, set -SkipUserConversion to $false to ensure users are converted correctly.

Additionally, if the AD FS server is not available because of a failure you can convert the domain to Standard using the Set-MsolDomainAuthentication cmdlet to set the authentication to managed.

Potential Issues

  1. If you get the following, use a cloud only global administrator account when connecting and running your MSOL commands.
  • Convert-MSOLDomainToStandard : When converting domains, please sign in using the initial company administrator credentials (user name and password).
MSOL-command-issue
  1. If after conversion users experience sign on issues run the following PowerShell command from your server running Azure AD Connect.
  • Start-ADSyncSyncCycle Initial

Lucas and Brandon | PEI

One Comment

  • B F says:

    Unclear what some of the command would do where we have a internal forest domain & a domain where we publically log in via external domain, I assume we use our external UPN suffix in the script which is registered on O365?
    Also I’ve seen conflicting use of the “-SkipUserConversion $true” command, other scripts suggest “false” if pwd sync is already enabled & up to date.

Leave a Reply