Forum Discussion

ch0wd0wn's avatar
ch0wd0wn
Copper Contributor
Oct 04, 2019

Convert a SINGLE user from Federated to Managed Authentication and then BACK to Federated... HOW?


Hello!
We are troubleshooting some account lockout issues.  We have O365 with our domain in Federated Authentication (PingFed).
 
We want to just change 1 user from federated to managed auth... I see the command for it Convert-MSOLFederatedUser … but I don't see any command to convert the user back to Federated??
Any suggestions??
  • Do your users authenticate with Domain\Username? If so this change will not affect how the user is logging on to their local machine. I usually just let Outlook prompt stating that it is no longer connected to Microsoft Exchange and prompts for the username and password. Hope this helps!  ch0wd0wn 

  • Bryan Haslip's avatar
    Bryan Haslip
    Iron Contributor

    From my understanding the command Convert-MsolFederatedUser is supposed to be used after the conversion of the sign in domain back to the standard authentication type. A new password has to be specified for the user as well. With federation it is all or nothing when it comes to domain. All users will use the same authentication method federated or standard. I have however successfully tested sign in issues by changing the UPN suffix in Active Directory for the user. This can be accomplished by using the .onmicrosoft.com domain or if your company owns a second domain that is verified in Office 365. Let me know if I can assist any other way!

     

    Convert-MsolFederatedUser Doc - https://docs.microsoft.com/en-us/powershell/module/msonline/convert-msolfederateduser?view=azureadps-1.0

     

     ch0wd0wn 

    • ch0wd0wn's avatar
      ch0wd0wn
      Copper Contributor

      Hi Bryan

      Yeah you're right, I believe the convert-msolfederateuser command is used to migrate 1 off users that didn't get successfully converted when you convert the entire domain from federation to standard.

       

      That being said, I'm just trying to remove federation authentication services for a single user, don't want to switch an entire domain.  I know I can change their logon to onmicrosoft.com and then that will be local authentication … however that means I'd have to make the user's UPN to onmicrosoft.com as well right?  

       

       

      Bryan Haslip 

      • Bryan Haslip's avatar
        Bryan Haslip
        Iron Contributor

        I assume the users are coming from your local AD through AD connect correct? If that is the case you can just change the UPN suffix for that particular user on the domain controller to .onmicroosft.com or another domain that is not federated and force a sync. What is important to note about this is don't change the proxy addresses in the attributes as that will change their actual email address and could make mail for that user bounce. Once that is completed you should see that the users sign in address switch to .onmicrosoft.com and you can then test authentication with the domain password. There is one more method you could try if this does not work for you. Let me know and I can explain the second method if needed. 

         

         ch0wd0wn 

Resources