question

NithyanandhamSingaravadivelu-7333 avatar image
0 Votes"
NithyanandhamSingaravadivelu-7333 asked NithyanandhamSingaravadivelu-7333 commented

Change User Sign In method from Password hash Synchronization to Federate with ADFS

Hi All,


We have a requirement, users in the environment is currently using the primary Authentication method as Password hash synchronization, which has to be changed to ADFS authentication.

In the current environment we have existing ADFS infrastructure in place but there is no federation trust configured between On premises AD and Azure AD.

In addition to that, there are multiple custom domains added as verified domains in Azure AD, which are currently setup with the domain type as "Managed"

Can I use the option "Change user Sing in" on the Azure AD connect server to change the authentication method from "Password Hash Synchronization" to "Federate with ADFS", would it help us to configure the federation trust between On premises AD and Azure AD and then it sets the ADFS as the primary authentication for users ?

As we have multiple domains verified in Azure AD, When we go with the option "change user sign in" in the Azure AD connect server ? Does the Azure AD connect server create the federation trust in the backend using the switch -SupportMultipleDomain ?

If yes, is there any option available in the Azure AD connect server, to convert the other verified domains from managed to federated ?


Please help us with your inputs.

azure-ad-connect
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Dev073 avatar image
0 Votes"
Dev073 answered NithyanandhamSingaravadivelu-7333 commented

Hi,

Yes, You can leverage the below command to convert the domain.

Convert-MsolDomainToFederated -DomainName test.com -SupportMultipleDomain

The Convert-MSOLDomainToFederated cmdlet converts the specified domain from standard authentication to single sign-on. Execute covert command for for other domains.
As part of converting a domain from standard authentication to single sign-on, each user must also be converted. This conversion happens automatically the next time a user signs in.
It usually takes ~30 minutes for the entire process complete. sometime can take longer time based on tenent user objects size and other factors.

Note : Password hash synchronization will be used as backup if the option is still enabled along with fedration.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NithyanandhamSingaravadivelu-7333 avatar image NithyanandhamSingaravadivelu-7333 ·

Hi Dev073 ,

Thank you for your response.

I can understand that I need to use the below command repeatedly to convert all the verified domains from managed to federated domain type.

Convert-MsolDomainToFederated -DomainName test.com -SupportMultipleDomain

Please clarify the below questions.

  1. After the above mentioned command is executed for all the domains, Should I need to change the user sign in method present in the Azure AD connect server from PHS to Federate with ADFS ?

  2. This conversion happens automatically the next time a user signs in - Could you please elaborate on this part, what changes will happen in the user objects when the user Signs In after this change ?

0 Votes 0 ·
Dev073 avatar image Dev073 NithyanandhamSingaravadivelu-7333 ·

PowerShell command is enough to convert the domain from Managed to Federated.

Once the configuration is successful, all of your Azure AD sync’d user accounts will authenticate to your on-premises Active Directory via ADFS. Ensure the ADFS is correctly configured and healthy.

0 Votes 0 ·
NithyanandhamSingaravadivelu-7333 avatar image NithyanandhamSingaravadivelu-7333 Dev073 ·

@Dev073

Thank you for your response on PHS to ADFS conversion. Below are the steps I have created for roll back.

Step 1 :

$cred = Get-Credential

Step 2 :

Connect-MsolService -credential $cred

Step 3:

Set-MSOLDomainAuthentication -Authentication Managed -DomainName test.com

Question :

After executing the above steps, should I need to execute the below command against every user or it is not required ?

Convert-MSOLFederatedUser -UserPrincipalName "User1@test.com"

Convert-MSOLFederatedUser -UserPrincipalName "User2@test.com" and So on for all other accounts

0 Votes 0 ·