First published on TechNet on Dec 19, 2016
Hi all! I am Bill Kral, a Microsoft Premier Field Engineer, here to give you the steps to convert your on-premise Federated domain to a Managed domain in your Azure AD tenant. In this case, we will also be using your on-premise passwords that will be sync'd with Azure AD Connect. There are many ways to allow you to logon to your Azure AD account using your on-premise passwords. You can use ADFS, Azure AD Connect Password Sync from your on-premise accounts or just assign passwords to your Azure account. In addition, Azure AD Connect Pass-Through Authentication is currently in preview, for yet another option for logging on and authenticating. Recently, one of my customers wanted to move from ADFS to Azure AD passwords sync'd from their on-premise domain to logon. So, we'll discuss that here. Let's set the stage so you can follow along: The on-premise Active Directory Domain in this case is US.BKRALJR.INFO The AzureAD tenant is BKRALJRUTC.onmicrosoft.com We are using Azure AD Connect for directory synchronization (Password Sync currently not enabled) We are using ADFS with US.BKRALJR.INFO Federated with the Azure AD Tenant
- First, insure your Azure AD Connect Sync ID has "Replicate Directory Changes" and "Replicate Directory Changes All" permissions in AD (For Password Sync to function properly). If you did not set this up initially, you will have to do this prior to configuring Password Sync in your Azure AD Connect.
- You can check your Azure AD Connect servers Security log that should show AAD logon to AAD Sync account every 30 minutes (Event 4648) for regular sync. When you enable Password Sync, this occurs every 2-3 minutes.
-
On the Azure AD Connect server, run CheckPWSync.ps1 to see if Password Sync is enabledNote: Here is a script I came across to accomplish this. Copy this script text and save to your Azure AD Connect server and name the file with a CheckPWSync.ps1. ---------------------------------------- Begin Copy After this Line ------------------------------------------------ Import-Module ADSync $connectors = Get-ADSyncConnector $aadConnectors = $connectors | Where-Object {$_.SubType -eq "Windows Azure Active Directory (Microsoft)"} $adConnectors = $connectors | Where-Object {$_.ConnectorTypeName -eq "AD"} if ($aadConnectors -ne $null -and $adConnectors -ne $null) { if ($aadConnectors.Count -eq 1) { $features = Get-ADSyncAADCompanyFeature -ConnectorName $aadConnectors[0].Name Write-Host Write-Host "Password sync feature enabled in your Azure AD directory: " $features.PasswordHashSync foreach ($adConnector in $adConnectors) { Write-Host Write-Host "Password sync channel status BEGIN ------------------------------------------------------- " Write-Host Get-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector.Name Write-Host $pingEvents = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654 -After (Get-Date).AddHours(-3) | Where-Object { $_.Message.ToUpperInvariant().Contains($adConnector.Identifier.ToString("D").ToUpperInvariant()) } | Sort-Object { $_.Time } -Descending if ($pingEvents -ne $null) { Write-Host "Latest heart beat event (within last 3 hours). Time " $pingEvents[0].TimeWritten } else { Write-Warning "No ping event found within last 3 hours." } Write-Host Write-Host "Password sync channel status END ------------------------------------------------------- " Write-Host } } else { Write-Warning "More than one Azure AD Connectors found. Please update the script to use the appropriate Connector." } } Write-Host if ($aadConnectors -eq $null) { Write-Warning "No Azure AD Connector was found." } if ($adConnectors -eq $null) { Write-Warning "No AD DS Connector was found." } Write-Host ---------------------------------------- End Copy Prior to this Line ------------------------------------------- As you can see, mine is currently disabled.
-
Setup Password Sync via Azure AD Connect (Options)
- Open the Azure AD Connect wizard on the AD Connect Server
- Select "Customize synchronization options" and click "Next"
- Enter your AAD Admin account/ Password and click "Next"
- If you are only enabling Password hash synchronization, click "Next" until you arrive at the Optional features window leaving your original settings unchanged
-
On the "Optional features" window, select "Password hash synchronization" and click "Next"Note: If you have previously selected other options, leave those as intended
- Click "Install" to reconfigure your service
- Restart the Microsoft Azure AD Sync service
-
Force a Full Sync in Azure AD Connect in a powershell console by running the commands below
- Import-module ADSync
- Start-ADSyncSyncCycle -PolicyType Initial
- On your Azure AD Connect server, run CheckPWSync.ps1 to see if Password Sync is enabled
-
- On your Azure AD Connect server, run TriggerFullPWSync.ps1 to trigger full password sync (Disables / enables)
Note: Here is a script I came across to accomplish this. Copy this script text and save to your AD Connect server and name the file TriggerFullPWSync.ps1. Update the $adConnector and $aadConnector variables with case sensitive names from the connector names you have in your Synchronization Service Tool.
---------------------------------------- Begin Copy After this Line ------------------------------------------------
# Run script on AD Connect Server to force a full synchronization of your on prem users password with Azure AD # Change domain.com to your on prem domain name to match your connector name in AD Connect # Change aadtenant to your AAD tenant to match your connector name in AD Connect $adConnector = "domain.com" $aadConnector = "aadtenant.onmicrosoft.com - AAD" Import-Module adsync $c = Get-ADSyncConnector -Name $adConnector $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null $p.Value = 1 $c.GlobalParameters.Remove($p.Name) $c.GlobalParameters.Add($p) $c = Add-ADSyncConnector -Connector $c Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true
---------------------------------------- End Copy Prior to this Line -------------------------------------------
-
Now, we can go to the Primary ADFS Server and convert your domain from Federated to Managed
-
On the Primary ADFS Server, import he MSOnline ModuleImport-Module MSOnline
-
Connect to your AAD TenantConnect-MSOLService -> Enter AAD credentials on the pop-up
Note: You can also run from another server, but then need to set the context of what ADFS server you connect to. Ie: Set-MsolADFSContext -Computer <AD FS servername> I find it easier to do the Azure AD Connect tasks on the Azure AD Connect server and the ADFS/Federation tasks on the primary ADFS server.
-
Confirm the domain you are converting is listed as Federated by using the command below
-
Get-MsolDomain -Domainname domain -> inserting the domain name you are converting. Ie: Get-MsolDomain -Domainname us.bkraljr.info
-
Convert Domain to managed and remove Relying Party Trust from Federation Service. Now, you may convert users as opposed to the entire domain, but we will focus on a complete conversion away from a Federated domain to a Managed domain using on prem sourced passwords.Convert-MsoldomainToStandard -Domainname domain -SkipUserConversion $false -PasswordFile c:\ domain _userpasswords.txt -> inserting the domain name you are converting and a password file name of your choice that does not currently exist. Ie: Convert-MsoldomainToStandard -Domainname us.bkraljr.info -SkipUserConversion $false -PasswordFile c:\usbkraljrinfo_userpasswords.txt
Here is where the, so called, "fun" begins. There is no status bar indicating how far along the process is, or what is actually happening here. Under the covers, the process is analyzing EVERY account on your on prem domain, whether or not it has actually ever been sync'd to Azure AD. If an account had actually been selected to sync to Azure AD, it is converted and assigning a random password. That is what that password file is for… Also, since we have enabled Password hash synchronization, those passwords will eventually be overwritten.
What does all this mean to you? You must be patient!!! For an idea of how long this process takes, I went through this process with a customer who had a 10k user domain and it took almost 2 hours before we got the "Successfully updated" message. Therefore, you can expect an approximate processing rate of 5k users per hour, although other factors should be considered, such as bandwidth, network or system performance. That doesn't count the eventual password sync from the on prem accounts and AAD reverting from "Federated" to "Not Planned" or "Not Configured" in the Azure Portal. So, just because it looks done, doesn't mean it is done.
- On the Azure AD Connect server, run TriggerFullPWSync.ps1 to trigger full password sync
-
On the ADFS server, confirm the domain you have converted is listed as "Managed"Get-MsolDomain -Domainname domain -> inserting the domain name you are converting. Ie: Get-MsolDomain -Domainname us.bkraljr.info
- Check the Single Sign-On status in the Azure Portal. It should not be listed as "Federated" anymore
- Logon to "Myapps.microsoft.com" with a sync'd Azure AD account. There should now be no redirect to ADFS and your on prem password should be functional…… Assuming you were patient enough to let everything finish!!!
- The Azure AD Connect servers Security log should show AAD logon to AAD Sync account every 2 minutes (Event 4648)
That should do it!!! Bottom line… be patient… I will also be addressing moving from a Managed domain to a Federated domain in my next post, as well as setting up the new Pass-Through Authentication (PTA) capabilities that are being introduced into Azure AD Connect in future posts. Thanks for reading!!!