Jul 15 2018
- last edited on
Feb 10 2023
I need to unfederate 2 domains.
I have around 60 users in on-premises and azure. I DO NOT want to change passwords of current Users.
I know there is command Convert-MSOLDomainToStandard
Can you please explain what is the impact of below command:-
Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion $false -PasswordFile c:\userpasswords.txt
I will appreciate your great help!
Jul 15 2018 11:01 AM
Technically, as part of converting the domain to federated, you need to generate new passwords for any users involved and distribute them to the user, otherwise they will not be able to login afterwards. That's what the above cmdlets does. You can skip the user conversion process by changing the parameter to $true, but doing this will leave the users in a state where they will not be able to access the service.
The change does not affect the on-premises passwords in any way, if that's what you are concerned about.
Jul 15 2018 11:39 PMSolution
Before converting the domain to standard, you should decide how the users will be authenticated. If you run the command in that way, as Vasil mentioned, it will create a new password for each user.
I would personally use password hash sync, so users would be able to use their current on prem AD credentials. So I would first configure password hash sync (you might even has that already configured).
To check what is your password sync status, run the following command. If PasswordSynchronizationEnabled is set to true, you're good to go.
Get-MsolCompanyInformation | fl *synch*
When password sync is configured, use the following command to convert the domain to standard (managed). It won't convert users (=doesn't create new passwords) but the password file is still a required parameter even though it's not used. Note that the SkipUserConversion is set to $true.
Convert-MSOLDomainToStandard –DomainName <domain> -SkipUserConversion $true -PasswordFile pwd.txt
If you are not able to access your AD FS server, or you are using some other identity provider than AD FS, use the following command. It does the same than previous one, it simply changes the domain to managed without doing any user conversions.
Set-MsolDomainAuthentication -DomainName <domain> -Authentication Managed
Jul 16 2018 12:50 AM