02. January 2013 · Comments Off on How to convert an Office365 federated domain back to a managed domain · Categories: Office365

Use these methods only if all the following conditions are true:

Reverse the domain federated authentication settings for the Office 365 account domain
– if the AD FS 2.0 server is available

Use this method only if all the following conditions are true:

  • The problem is caused by a service outage that requires immediately restoring user access, or the account is an Office 365 for professionals and small businesses account.
  • The Active Directory Federation Services (AD FS) 2.0 server is available.

If these conditions are true, reset the authentication setting for the domain to standard authentication. To do this, follow these steps:

  1. Start the Microsoft Online Services Module for Windows PowerShell. To do this, click Start, point to All Programs, click Microsoft Online Services, right-click Microsoft Online Service Module for Windows PowerShell, and then click Run as administrator.
  2. Run the following commands in the order in which they are presented. Press Enter after you type each command.
    1. $cred = Get-Credential

      When you are prompted, enter Office 365 administrator credentials that are not SSO-enabled.

    2. Connect-MsolService –credential $cred
    3. Set-MsolADFSContext –Computer <AD FS 2.0 server name>

      Note In this command, the placeholder <AD FS 2.0 server name> represents the name of the primary AD FS 2.0 server.

    4. Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion [$true|$false] -PasswordFile c:userpasswords.txt

      Note In this command, the placeholder <federated domain name> represents the name of the domain for which SSO is not working.

      This command removes the Rely Party Trust information from the Office 365 authentication system federation service and the on-premises AD FS 2.0 federation service. The –PasswordFile parameter indicates the path of the text file that contains the newly created temporary password of each formerly federated user’s account.

      If the -SkipUserConversion:$true parameter is used, no password file is generated, and the user accounts that are associated with the domain are unusable. That is, the user accounts do not have access to Office 365 resources until the following conditions are true:

      • The domain is converted back to use federated authentication by using the Convert-MSOLDomainToFederated cmdlet.
      • Each user account is converted to use standard authentication by using the Convert-MSOLFederatedUser cmdlet.

Reverse the domain federated authentication settings for the Office 365 account domain
– if the AD FS 2.0 server is not available

Use this method only if all the following conditions are true:

  • The problem is caused by a service outage that requires immediately restoring user access, or the account is an Office 365 for professionals and small businesses account.
  • The AD FS 2.0 server is unavailable.

If these conditions are true, reset the authentication setting for the domain and for each user account to use standard authentication. To do this, follow these steps:

  1. Start the Microsoft Online Services Module for Windows PowerShell. To do this, click Start, click All Programs, click Microsoft Online Services, right-click Microsoft Online Service Module for Windows PowerShell, and then click Run as administrator.
  2. To convert the domain, run the following commands in the order in which they are presented. Press Enter after you type each command.
    1. $cred = Get-Credential

      When you are prompted, enter Office 365 administrator credentials that are not SSO-enabled.

    2. Connect-MsolService –credential $cred
    3. Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>

      Note In this command, the placeholder <federated domain name> represents the name of the domain for which Office 365 SSO is not working.

  3. For each user who has a user principal name (UPN) suffix that is associated with the domain, run the following command:
    Convert-MSOLFederatedUser -UserPrincipalName <string>

    Note In this command, the placeholder <string> represents the value of the UPN for the user who is being converted.

    1. Source: KB2662960

Comments closed.