Forum Discussion

amanpreet singh's avatar
amanpreet singh
Copper Contributor
Jul 15, 2018

Unfederating Domains

Hi Friends,   I  need to unfederate 2 domains. I have around 60 users in on-premises and azure. I DO NOT want to change passwords of current Users.   I know there is command Convert-MSOLDomainTo...
  • Nestori Syynimaa's avatar
    Jul 16, 2018

    Before converting the domain to standard, you should decide how the users will be authenticated. If you run the command in that way, as Vasil mentioned, it will create a new password for each user.

     

    I would personally use password hash sync, so users would be able to use their current on prem AD credentials. So I would first configure password hash sync (you might even has that already configured).

     

     To check what is your password sync status, run the following command. If PasswordSynchronizationEnabled is set to true, you're good to go.

    Get-MsolCompanyInformation | fl *synch*

     

    When password sync is configured, use the following command to convert the domain to standard (managed). It won't convert users (=doesn't create new passwords) but the password file is still a required parameter even though it's not used. Note that the SkipUserConversion is set to $true. 

    Convert-MSOLDomainToStandard –DomainName <domain> -SkipUserConversion $true -PasswordFile pwd.txt

     

    If you are not able to access your AD FS server, or you are using some other identity provider than AD FS, use the following command. It does the same than previous one, it simply changes the domain to managed without doing any user conversions.

    Set-MsolDomainAuthentication -DomainName <domain> -Authentication Managed

     

Resources