Share via

identity provider

Admin User 0 Reputation points
2025-10-02T21:51:35.0233333+00:00

I switched ID providers, without knowing that was what I was doing. Running under another techs guidance from synology. I want to switch back to microsoft for identity governance. How do I do that?

The command I used to change, and mess things up:

New-MgDomainFederationConfiguration -DomainId 'consanto.com' -DisplayName 'synology' -IssuerUri 'c2id:mqDQsQuc3V5pqsCMU' -SignOutUri 'https://consanto.identity.us.synologyc2.com/sso/app/c2id:mqDQsQuc3V5pqsCMU/slo/saml/' -PassiveSignInUri 'https://consanto.identity.us.synologyc2.com

Microsoft Security | Microsoft Identity Manager
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David T. Cannon 0 Reputation points
    2025-10-13T20:10:18.2466667+00:00

    THanks for your reply. I found the process over my head, and I did not want to make things worse, so I ended up hiring a technician to correct my mistake. That was about a $800 mistake.

    Was this answer helpful?

    0 comments
  2. Anonymous
    2025-10-03T09:42:36.6466667+00:00

    Hello Admin User,Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. 

    Before we proceed further, Do you have an emergency access (break-glass) account that uses the initial .onmicrosoft.com domain (e.g., ******@consanto.onmicrosoft.com)? What is the current sign-in method for the user identities? (e.g., Are they using Password Hash Synchronization (PHS), Pass-through Authentication (PTA), or are they cloud-only accounts?)

    Will try to give you some solutions:

    you need to use the Update-MgDomain command to set the domain's authentication type back to Managed.

    Install the Microsoft Graph PowerShell Module: You've already used New- MgDomainFederationConfiguration, so you likely have the module, but confirm you can connect.

    # 1. Install the module (if needed)
Install-Module -Name Microsoft.Graph -Scope CurrentUser
# 2. Connect to Microsoft Graph with the necessary permissions (use your .onmicrosoft.com break-glass account)
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

    Verify the current Federation settings: This command confirms that the federation object is still present.

    Get-MgDomainFederationConfiguration -DomainId 'consanto.com'

    Revert the Domain to Managed Authentication: This command is the one that tells Microsoft Entra ID to stop redirecting sign-ins to Synology and to handle the authentication directly.

    Verify the Change: Run a check to confirm the domain is no longer set to federated. The domain should now show the Authentication Type as Managed.

    Get-MgDomain -DomainId 'consanto.com' | Select-Object AuthenticationType

    Cleanup (it is optional): The federation configuration object is technically still stored in the directory, even though it's no longer being used. For a complete cleanup, you can remove it. You will first need the unique ID of the federation configuration object.

    # 4a. Get the Federation Configuration ID
$FederationConfigId = (Get-MgDomainFederationConfiguration -DomainId 'consanto.com').Id
# 4b. Remove the object
Remove-MgDomainFederationConfiguration -DomainId 'consanto.com' -InternalDomainFederationId $FederationConfigId

    Hope this helps! If you need more info, feel free to ask in the comments. Happy to help!

    Regards,

    Monalisha

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.