cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Unfederating Domains

amanpreet singh
Copper Contributor

‎Jul 15 2018 07:30 AM - last edited on ‎Feb 10 2023 02:34 PM by

‎Jul 15 2018 07:30 AM - last edited on ‎Feb 10 2023 02:34 PM by

Unfederating Domains

Hi Friends,

 

I  need to unfederate 2 domains.

I have around 60 users in on-premises and azure. I DO NOT want to change passwords of current Users.

 

I know there is command Convert-MSOLDomainToStandard

 

Can you please explain what is the impact of below command:-

 

Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\userpasswords.txt 

 

I will appreciate your great help!

 

Many Thanks

12.5K Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Jul 15 2018 11:01 AM

‎Jul 15 2018 11:01 AM

Re: Unfederating Domains

Technically, as part of converting the domain to federated, you need to generate new passwords for any users involved and distribute them to the user, otherwise they will not be able to login afterwards. That's what the above cmdlets does. You can skip the user conversion process by changing the parameter to $true, but doing this will leave the users in a state where they will not be able to access the service.

 

The change does not affect the on-premises passwords in any way, if that's what you are concerned about.

1 Like
Reply
best response confirmed by amanpreet singh (Copper Contributor)
Nestori Syynimaa

‎Jul 15 2018 11:39 PM

‎Jul 15 2018 11:39 PM

Solution

Re: Unfederating Domains

Before converting the domain to standard, you should decide how the users will be authenticated. If you run the command in that way, as Vasil mentioned, it will create a new password for each user.

 

I would personally use password hash sync, so users would be able to use their current on prem AD credentials. So I would first configure password hash sync (you might even has that already configured).

 

 To check what is your password sync status, run the following command. If PasswordSynchronizationEnabled is set to true, you're good to go.

Get-MsolCompanyInformation | fl *synch*

 

When password sync is configured, use the following command to convert the domain to standard (managed). It won't convert users (=doesn't create new passwords) but the password file is still a required parameter even though it's not used. Note that the SkipUserConversion is set to $true. 

Convert-MSOLDomainToStandard –DomainName <domain> -SkipUserConversion $true -PasswordFile pwd.txt

 

If you are not able to access your AD FS server, or you are using some other identity provider than AD FS, use the following command. It does the same than previous one, it simply changes the domain to managed without doing any user conversions.

Set-MsolDomainAuthentication -DomainName <domain> -Authentication Managed

 

1 Like
Reply
amanpreet singh

‎Jul 16 2018 12:50 AM

‎Jul 16 2018 12:50 AM

Re: Unfederating Domains

Thanks Vasil for reply.

If I skip User Conversion, which Service, Users will not be able to access? Please clarify.

Please clarify "The change does not affect the on-premises passwords in any way"?
Do you mean Passwords of On-premises user won;t get affected after i run command
"Convert-MSOLDomainToStandard" and do Password Sync?

I need that the Domains and Users must use Standard Authentication.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by amanpreet singh (Copper Contributor)
Nestori Syynimaa

‎Jul 15 2018 11:39 PM

‎Jul 15 2018 11:39 PM

Solution

Re: Unfederating Domains

Before converting the domain to standard, you should decide how the users will be authenticated. If you run the command in that way, as Vasil mentioned, it will create a new password for each user.

 

I would personally use password hash sync, so users would be able to use their current on prem AD credentials. So I would first configure password hash sync (you might even has that already configured).

 

 To check what is your password sync status, run the following command. If PasswordSynchronizationEnabled is set to true, you're good to go.

Get-MsolCompanyInformation | fl *synch*

 

When password sync is configured, use the following command to convert the domain to standard (managed). It won't convert users (=doesn't create new passwords) but the password file is still a required parameter even though it's not used. Note that the SkipUserConversion is set to $true. 

Convert-MSOLDomainToStandard –DomainName <domain> -SkipUserConversion $true -PasswordFile pwd.txt

 

If you are not able to access your AD FS server, or you are using some other identity provider than AD FS, use the following command. It does the same than previous one, it simply changes the domain to managed without doing any user conversions.

Set-MsolDomainAuthentication -DomainName <domain> -Authentication Managed

 

View solution in original post

1 Like
Reply