Convert-MsolDomainToStandard

Updated: July 30, 2015

Applies To: Azure, Office 365, Windows Intune

Note



  • The cmdlets were previously known as the Microsoft Online Services Module for Windows PowerShell cmdlets.

The Convert-MsolDomainToStandard cmdlet converts the specified domain from single sign-on (also known as identity federation) to standard authentication. This process also removes the relying party trust settings in the AD FS server and online service. After the conversion, this cmdlet will convert all existing users from single sign-on to standard authentication. Any existing user who was configured for single sign-on and does not have a password set by using password hash sync will be given a new temporary password as part of the conversion process. Each converted user name and new temporary password will be recorded in a file for reference by the administrator. The administrator can then distribute the new temporary password to each converted user to enable the user to sign in to the online service.

Syntax

Convert-MsolDomainToStandard -DomainName <string> -PasswordFile <string> -SkipUserConversion <Boolean> [-Confirm] [-WhatIf] [<CommonParameters>]

Parameters

    -DomainName <string>
        The domain name to convert from single sign-on (also known as identity 
        federation) to standard authentication.
        
        Required?                    true
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    -PasswordFile <string>
        The file where converted users' user names and temporary passwords 
        will be recorded.
        
        Required?                    true
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    -SkipUserConversion <Boolean>
        If set to True, users will not be converted as part of the operation. 
        Administrators can run the cmdlet again to convert users at a later 
        date. The password file is still required but will be empty if set to 
        True.
        
        Required?                    true
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    -Confirm [<SwitchParameter>]
        Prompts you for confirmation before executing the command.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    -WhatIf [<SwitchParameter>]
        Describes what would happen if you executed the command without 
        actually executing the command.
        
        Required?                    false
        Position?                    named
        Default value                
        Accept pipeline input?       false
        Accept wildcard characters?  false
        
    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".

Examples

You will require a connection to both the AD FS server and the Microsoft Online Services domain before the command can be run successfully. This following command removes the relying party trust information from the Microsoft Federation Gateway and the on-premises AD FS. In the command, contoso.com is the Microsoft Online Services domain name. The -PasswordFile parameter indicates the path of the text file that contains the newly created temporary password of each formerly-federated user’s account. The password file is created automatically and the passwords are set randomly. Open the c:\userpasswords.txt file to see the passwords that were created for each user.

Convert-MSOLDomainToStandard –DomainName contoso.com -SkipUserConversion $false -PasswordFile c:\userpasswords.txt

Warning

If the -SkipUserConversion:$true parameter is used, a password file is not generated. In this case, the associated user accounts cannot be used until one of the following occurs: by using the Convert-MSOLDomainToFederated cmdlet.

  1. The domain is converted back to use federated authentication by using the Convert-MsolDomainToFederated cmdlet

  2. Each user account is converted to use standard authentication by using the Convert-MsolFederatedUser cmdlet

Additional Resources

There are several other places you can get more information and help. These include:

See Also

Other Resources

Manage Azure Active Directory by using Windows PowerShell
Users can no longer access Office 365 after you run the convert-MSOLDomaintoFederated cmdlet to convert an existing domain