question

user2021 avatar image
0 Votes"
user2021 asked amanpreetsingh-msft commented

How to revert back to Federated User Sign-Ins from Password Hash Sync Authentication Method?

Is it possible to revert back my user sign-ins in Azure AD Connect from password hash sync back to federated? If so, what are the impacts for the users that are already migrated to managed authentication?

azure-active-directoryadfsazure-ad-connectazure-ad-password-hash-sync
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @user2021 • Thank you for reaching out.

If you are using ADFS for federation, you need to run Convert-MsolDomainToFederated cmdlet on your ADFS Server.

If you are using an STS other than ADFS, you need to run Set-MsolDomainFederationSettings cmdlet.

You may also consider Setting up PHS as backup for AD FS in Azure AD Connect to avoid single point of failure if your on-premises ADFS/3rd party STS goes down.

The impact would be, rather than authenticating directly from Azure AD, federated users will be redirected to the federation server for authentication. If you have any applications, that uses ROPC flow and doesn't support redirection (e.g. Postman), it will throw AADSTS50126 error. In that case, you will have to perform the steps, I have mentioned here: https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi. Thank you for answering!

Yes, we are using ADFS for federation. So simply running the Convert-MsolDomainToFederated cmdlet will revert back my authentication into federation? Are there any additional steps or processes we need to check after running the cmdlet? Or its the same process with this tutorial Switch Back to Federation?


0 Votes 0 ·

@user2021 • Yes, Convert-MsolDomainToFederated cmdlet will revert back the authentication to federated auth. After running this cmdlet, you can confirm if the domain is federated by running Get-MsolDomain and Get-MsolDomainFederationSettings

0 Votes 0 ·