Convert a Managed Domain in Azure AD to a Federated Domain using ADFS for On-Prem Auth-Step by Step

Published 09-20-2018 06:29 AM 16.2K Views

First published on TechNet on Feb 06, 2017
Hi all! I am Bill Kral, a Microsoft Premier Field Engineer, here again to give you the steps to convert your on-premises Managed domain to a Federated domain in your Azure AD tenant this time. Here is the link to my previous blog on how to convert from a Federated to Managed domain: Convert a Federated Domain in Azure AD to Managed and Use Password Sync – Step by Step There are many ways to allow you to logon to your Azure AD account using your on-premises passwords. You can use ADFS, Azure AD Connect Password Sync from your on-premises accounts or just assign passwords to your Azure account. In addition, Azure AD Connect Pass-Through Authentication is currently in preview, for yet another option for logging on and authenticating. So, why would you convert your domain from Managed to Federated? Well, maybe you finally decided to invest in an ADFS environment. Maybe your company mandated that the storage of passwords in the cloud go against company policy, even though the hash of the hash of the password is what is really stored in Azure AD… and you may have your reasons for doing so. Either way, we'll discuss how to get from a Managed domain to Federated domain in your Azure AD environment. Let's set the stage so you can follow along: The on-premises Active Directory Domain in this case is US.BKRALJR.INFO The AzureAD tenant is We are using Azure AD Connect for directory synchronization (Password Sync currently is enabled) We have setup an ADFS environment to federate the domain with the Azure AD Tenant Before we start, you will need the following things installed on your ADFS Server to connect to your Azure AD tenant: Microsoft Online Services Sign-In Assistant for IT Professionals RTW Windows Azure Active Directory Module for Windows PowerShell .msi

  1. First, log on to your Azure Portal and see that the "Status" of your domain is Verified and the "Single Sign-On" for your custom domain show as Not Planned or Not Configured.
  2. Now, go to your Primary ADFS Server and lets connect to your Azure AD Tenant.
    1. On the Primary ADFS server, open an Administartor powershell window and import the MSOnline module
      Import-Module MSOnline
    2. Connect to your Azure AD Tenant
      Connect-MSOLService -> Enter your Azure AD credentials on the pop-up
  3. Once you are connected to your Azure AD Tenant, let's make sure your domain is currently recognized as a "Managed" domain.
    Get-MsolDomain -Domainname -> Should show your domain as "Managed"
  4. Now we can make sure that the domain you are converting is currently NOT in the ADFS configuration.
    Get-MsolFederationProperty -Domainname -> Should show that domain does not exist in configuration
  5. So, now that we have connected to the Azure AD Tenant and confirmed that are domain configured as Managed, we can get to converting it to a "Federated" domain. When done, all of your Azure AD sync'd user accounts will authenticate to your on-premises Active Directory via ADFS.
    1. While still on your ADFS server, import the ADFS module
      Import-Module ADFS
    2. Run the command to convert your domain. Now, if you have a single top-level domain, you do not need to include the -SupportMultipleDomain switch. If you currently have or are planning to add additional domains to your ADFS / Azure AD federation, you will want to use it as I have.
      Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain -> (A successful updated message should be your result)
    3. Once this has completed, we can see the properties for the converted federation.
      Get-MsolFederationProperty -Domainname -> Should now not show the domain error we saw in step 4 and contain information for your domain under Microsoft Office 365 "Source" entry.
  6. Now, lets go back to your Azure Portal and see take a look at what the "Single Sign-On" status is for your custom domain now that you have converted it.
    As you can see, after a refresh and a little time for your commands to work their magic, my domain now shows the "Single Sign-On" as "Configured"
  7. You can now test logging on to with a sync'd account in your Azure AD Tenant. You should now see a re-direction to your ADFS environment while you are being authenticated.

That is pretty much it!!! Now, at this time, if you were replicating your passwords to Azure AD (or as most Microsoft folks like to say, the hash of the hash of the password), you may keep doing so to use as an authentication "backup" should your ADFS environment fail. This usage as a backup authentication does not happen automatically, but a powershell command will do the job when it is needed!!! If you intend to disable replication of you on-premises passwords to you Azure AD Tenant, that can be accomplished through your Azure AD Connect configuration setup!!! Once again, thanks for reading!!!

1 Comment
New Contributor

Hi @BrandonWilson, if my company have multiple synched UPN to Azure AD, do I have to execute the Powershell below for each respective AD domain or just one only as per Azure?


Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain
Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain
Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain
Version history
Last update:
‎Feb 20 2020 07:27 AM
Updated by: