Recently, two new methods for Office 365 SSO have become available: Azure AD Seamless SSO, and Azure AD Domain Join. Active Directory Federation Services (ADFS) had (and still has) its place within Office 365 environments, but it is not nearly as attractive and easy to use as the new methods.
Switching from ADFS to password synchronization (or Pass-through Authentication) requires planning and communication.
Possible issues you may come across:
- Any client (Office, Outlook, OneDrive, Skype for Business, Mobile Devices, etc…) configured may prompt users for a password the first time after the change.
- Skype is notorious for poorly handling this change. Skype may be unable to sign in after the change.
- Troubleshooting steps should include rebooting and clearing the MicrosoftOffice entries from the Windows Credential Manager.
- During the cutover, users may be unable to login until passwords synchronize.
- Microsoft states that it can take up to 2 hours for your domain to be fully converted from Federated (ADFS) to Standard (Password Sync). In my experience it takes roughly 30 minutes, but plan for the full 2 hours to be safe.
- After the domain is converted from Federated, a password sync will need to run which also takes significant time depending on your user count.
Given these issues, be sure to communicate with your end users and plan to do this during an acceptable change window.
The old way to cutover was using PowerShell and DirSync (or Azure AD Sync). You would have to convert each domain in use with ADFS from “federated” to “standard,” and temporarily set a password for each user. Then DirSync or Azure AD Sync would need to be configured with Password sync to begin syncing passwords from your local AD. Directions for this are listed at the bottom under Manual Cutover, however I recommend you follow the Cutover using Azure AD Connect instructions as it performs many steps for you and shortens the downtime. Either method works for ADFS 2.0 (Server 2008) and above.
Cutover Using Azure AD Connect
Ensure you have Azure AD Connect installed and configured before starting.
- Open the Azure Active Directory Connect application from the start menu (or desktop).
- Click Configure.
- Select Change user sign-in and click Next.
- Enter Global Administrator credentials for your Azure AD (Office 365). These credentials are only to authenticate, and are not used or cached after this initial configuration.
- On the next screen, ensure that Federation with AD FS is preselected. If not, then Azure AD Connect is not setup to configure ADFS for you. Instead, you will need to exit and follow the Manual Cutover steps at the bottom of this article.
- Either select Password Synchronization or Pass-through authentication, depending on which route you have chosen.
- Leave Do not convert user accounts unchecked.
- If you are looking to use Azure AD Connect for Single Sign On, check Enable single sign-on. Click Next.
- If you chose Enable single sign-on, enter your domain admin credentials on the next screen to continue. If not, skip to step 8.
- Finally, ensure the Start the synchronization process when configuration completes box is checked, and click Configure. Passwords will start synchronizing right away.
- When complete, navigate to https://portal.office.com/adminportal/home#/dirsyncmanagement and sign in with your administrator account. Ensure that Password sync enabled is set to true, and Password sync shows recent.
Cutting over manually should not be necessary, and is not recommended. Should you need to however, follow the steps below.
- Open a PowerShell window from a computer with the Azure AD v1 PowerShell module installed (v2 does not support ADFS commands at this time).
- If you do not have this installed, find it at the following link: http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
- Run the following command to import the Azure AD PowerShell module:
a. If this fails, you will most likely need to install the module from the above link.
- To connect to MSOnline, run the following command and enter Global Admin credentials at the prompt:
a. Some older versions of the module may error out at this step. If you get an error, instead try running:
Connect-MsolService -Credential (Get-Credential)
- Run the following ocmmand, where “adfsserver” is the name of one of your ADFS federation servers (this step is not needed if you are running PowerShell directly from the ADFS server).
Set-MsolADFSContext -Computer adfsserver
- Run the following command:
Convert-MsolDomainToStandard -DomainName domain.com -SkipUserConversion $false -PasswordFile C:\passwords.txt
a. “domain.com” = your domain (if you have multiple federated domains, you will need to run this command for each)
b. “C:\passwords.txt” = path to a text file where temporary passwords will be stored. These passwords will be overwritten by a synchronization in step #.
- This process takes time to run. You should see a screen similar to this while running:
- Once the command completes, you will need to enable password synchronization with Azure AD Connect using the steps above under Cutover using Azure AD Connect, starting with Step 1.
If you have any questions or comments, please reach out to me @theCloudSherpa. For further assistance with your identity management needs, get in touch with us.