How to revert back to Federated User Sign-Ins from Password Hash Sync Authentication Method?

Question

Is it possible to revert back my user sign-ins in Azure AD Connect from password hash sync back to federated? If so, what are the impacts for the users that are already migrated to managed authentication?

Answer 1

Hi @user20201 • Thank you for reaching out.

If you are using ADFS for federation, you need to run Convert-MsolDomainToFederated cmdlet on your ADFS Server.

If you are using an STS other than ADFS, you need to run Set-MsolDomainFederationSettings cmdlet.

You may also consider Setting up PHS as backup for AD FS in Azure AD Connect to avoid single point of failure if your on-premises ADFS/3rd party STS goes down.

The impact would be, rather than authenticating directly from Azure AD, federated users will be redirected to the federation server for authentication. If you have any applications, that uses ROPC flow and doesn't support redirection (e.g. Postman), it will throw AADSTS50126 error. In that case, you will have to perform the steps, I have mentioned here: https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.