Forum Discussion
Convert a SINGLE user from Federated to Managed Authentication and then BACK to Federated... HOW?
Do your users authenticate with Domain\Username? If so this change will not affect how the user is logging on to their local machine. I usually just let Outlook prompt stating that it is no longer connected to Microsoft Exchange and prompts for the username and password. Hope this helps! ch0wd0wn
Hi Bryan
Yeah you're right, I believe the convert-msolfederateuser command is used to migrate 1 off users that didn't get successfully converted when you convert the entire domain from federation to standard.
That being said, I'm just trying to remove federation authentication services for a single user, don't want to switch an entire domain. I know I can change their logon to onmicrosoft.com and then that will be local authentication … however that means I'd have to make the user's UPN to onmicrosoft.com as well right?
I assume the users are coming from your local AD through AD connect correct? If that is the case you can just change the UPN suffix for that particular user on the domain controller to .onmicroosft.com or another domain that is not federated and force a sync. What is important to note about this is don't change the proxy addresses in the attributes as that will change their actual email address and could make mail for that user bounce. Once that is completed you should see that the users sign in address switch to .onmicrosoft.com and you can then test authentication with the domain password. There is one more method you could try if this does not work for you. Let me know and I can explain the second method if needed.
Yes you are correct, on prem AD with AAD Connect with password sync turned on (eventhough we are using federated authentication through PingFederate)
Ok the only change I'll make is to the UPN for the user. I just want to make sure this doesn't impact his day to day activities like logging into windows...etc which it shouldn't. Do I need to recreate Outlook profile or should I just let it prompt for updated credentials?
Let me try this method first, its easy enough.
Bryan HaslipDo your users authenticate with Domain\Username? If so this change will not affect how the user is logging on to their local machine. I usually just let Outlook prompt stating that it is no longer connected to Microsoft Exchange and prompts for the username and password. Hope this helps! ch0wd0wn
Hey Bryan
Changing the UPN worked, however the user now can't get into Outlook and authenticate or his mobile device... he basically has to use OWA. The authentication keeps prompting over and over even if we created a new Outlook profile. I thought that this should authenticate the user regardless of the application he was using... any thoughts?