SOLVED
Home

Unfederating Domains

%3CLINGO-SUB%20id%3D%22lingo-sub-215765%22%20slang%3D%22en-US%22%3EUnfederating%20Domains%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215765%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Friends%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%26nbsp%3B%20need%20to%20unfederate%202%20domains.%3C%2FP%3E%3CP%3EI%20have%20around%2060%20users%20in%20on-premises%20and%20azure.%20I%20DO%20NOT%20want%20to%20change%20passwords%20of%20current%20Users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20there%20is%20command%20%3CSTRONG%3EConvert-MSOLDomainToStandard%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20explain%20what%20is%20the%20impact%20of%20below%20command%3A-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EConvert-MSOLDomainToStandard%20%E2%80%93DomainName%20%3CFEDERATED%20domain%3D%22%22%20name%3D%22%22%3E%20-SkipUserConversion%20%24false%20-PasswordFile%20c%3A%5Cuserpasswords.txt%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFEDERATED%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EI%20will%20appreciate%20your%20great%20help!%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EMany%20Thanks%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-215765%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20Premise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215934%22%20slang%3D%22en-US%22%3ERe%3A%20Unfederating%20Domains%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215934%22%20slang%3D%22en-US%22%3EThanks%20Vasil%20for%20reply.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20skip%20User%20Conversion%2C%20which%20Service%2C%20Users%20will%20not%20be%20able%20to%20access%3F%20Please%20clarify.%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20clarify%20%22The%20change%20does%20not%20affect%20the%20on-premises%20passwords%20in%20any%20way%22%3F%3CBR%20%2F%3EDo%20you%20mean%20Passwords%20of%20On-premises%20user%20won%3Bt%20get%20affected%20after%20i%20run%20command%3CBR%20%2F%3E%22Convert-MSOLDomainToStandard%22%20and%20do%20Password%20Sync%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20need%20that%20the%20Domains%20and%20Users%20must%20use%20Standard%20Authentication.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215916%22%20slang%3D%22en-US%22%3ERe%3A%20Unfederating%20Domains%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215916%22%20slang%3D%22en-US%22%3E%3CP%3EBefore%20converting%20the%20domain%20to%20standard%2C%20you%20should%20decide%20how%20the%20users%20will%20be%20authenticated.%20If%20you%20run%20the%20command%20in%20that%20way%2C%20as%20Vasil%26nbsp%3Bmentioned%2C%20it%20will%20create%20a%20new%20password%20for%20each%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20personally%20use%20password%20hash%20sync%2C%20so%20users%20would%20be%20able%20to%20use%20their%20current%20on%20prem%20AD%20credentials.%20So%20I%20would%20first%20configure%20password%20hash%20sync%20(you%20might%20even%20has%20that%20already%20configured).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BTo%20check%20what%20is%20your%20password%20sync%20status%2C%20run%20the%20following%20command.%20If%26nbsp%3BPasswordSynchronizationEnabled%20is%20set%20to%20true%2C%20you're%20good%20to%20go.%3C%2FP%3E%3CPRE%3EGet-MsolCompanyInformation%20%7C%20fl%20*synch*%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20password%20sync%20is%20configured%2C%26nbsp%3Buse%20the%20following%20command%20to%20convert%20the%20domain%20to%20standard%20(managed).%20It%20won't%20convert%20users%20(%3Ddoesn't%20create%20new%20passwords)%20but%20the%20password%20file%20is%20still%20a%20required%20parameter%20even%20though%20it's%20not%20used.%20Note%20that%20the%20SkipUserConversion%20is%20set%20to%20%24true.%26nbsp%3B%3C%2FP%3E%3CPRE%3EConvert-MSOLDomainToStandard%20%E2%80%93DomainName%20%26lt%3Bdomain%26gt%3B%20-SkipUserConversion%20%24true%20-PasswordFile%20pwd.txt%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20not%20able%20to%20access%20your%20AD%20FS%20server%2C%20or%20you%20are%20using%20some%20other%20identity%20provider%20than%20AD%20FS%2C%20use%20the%20following%20command.%20It%20does%20the%20same%20than%20previous%20one%2C%20it%20simply%20changes%20the%20domain%20to%20managed%20without%20doing%20any%20user%20conversions.%3C%2FP%3E%3CPRE%3ESet-MsolDomainAuthentication%20-DomainName%20%26lt%3Bdomain%26gt%3B%20-Authentication%20Managed%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215786%22%20slang%3D%22en-US%22%3ERe%3A%20Unfederating%20Domains%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215786%22%20slang%3D%22en-US%22%3E%3CP%3ETechnically%2C%20as%20part%20of%20converting%20the%20domain%20to%20federated%2C%20you%20need%20to%20generate%20new%20passwords%20for%20any%20users%20involved%20and%20distribute%20them%20to%20the%20user%2C%20otherwise%20they%20will%20not%20be%20able%20to%20login%20afterwards.%20That's%20what%20the%20above%20cmdlets%20does.%20You%20can%20skip%20the%20user%20conversion%20process%20by%20changing%20the%20parameter%20to%20%24true%2C%20but%20doing%20this%20will%20leave%20the%20users%20in%20a%20state%20where%20they%20will%20not%20be%20able%20to%20access%20the%20service.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20change%20does%20not%20affect%20the%20on-premises%20passwords%20in%20any%20way%2C%20if%20that's%20what%20you%20are%20concerned%20about.%3C%2FP%3E%3C%2FLINGO-BODY%3E
amanpreet singh
Occasional Contributor

Hi Friends,

 

I  need to unfederate 2 domains.

I have around 60 users in on-premises and azure. I DO NOT want to change passwords of current Users.

 

I know there is command Convert-MSOLDomainToStandard

 

Can you please explain what is the impact of below command:-

 

Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\userpasswords.txt 

 

I will appreciate your great help!

 

Many Thanks

3 Replies

Technically, as part of converting the domain to federated, you need to generate new passwords for any users involved and distribute them to the user, otherwise they will not be able to login afterwards. That's what the above cmdlets does. You can skip the user conversion process by changing the parameter to $true, but doing this will leave the users in a state where they will not be able to access the service.

 

The change does not affect the on-premises passwords in any way, if that's what you are concerned about.

Solution

Before converting the domain to standard, you should decide how the users will be authenticated. If you run the command in that way, as Vasil mentioned, it will create a new password for each user.

 

I would personally use password hash sync, so users would be able to use their current on prem AD credentials. So I would first configure password hash sync (you might even has that already configured).

 

 To check what is your password sync status, run the following command. If PasswordSynchronizationEnabled is set to true, you're good to go.

Get-MsolCompanyInformation | fl *synch*

 

When password sync is configured, use the following command to convert the domain to standard (managed). It won't convert users (=doesn't create new passwords) but the password file is still a required parameter even though it's not used. Note that the SkipUserConversion is set to $true. 

Convert-MSOLDomainToStandard –DomainName <domain> -SkipUserConversion $true -PasswordFile pwd.txt

 

If you are not able to access your AD FS server, or you are using some other identity provider than AD FS, use the following command. It does the same than previous one, it simply changes the domain to managed without doing any user conversions.

Set-MsolDomainAuthentication -DomainName <domain> -Authentication Managed

 

Thanks Vasil for reply.

If I skip User Conversion, which Service, Users will not be able to access? Please clarify.

Please clarify "The change does not affect the on-premises passwords in any way"?
Do you mean Passwords of On-premises user won;t get affected after i run command
"Convert-MSOLDomainToStandard" and do Password Sync?

I need that the Domains and Users must use Standard Authentication.

Related Conversations
Domain missing from accepted domains
Deleted in Office 365 on
3 Replies
Error when adding a domain.
Gary Choinski in Microsoft 365 on
4 Replies
Domain purpose returns
Alan McFarlane in Office 365 on
3 Replies