This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 26%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello
I am currently trying to remove Office 365 authenication from our adfs server.
I came across this article:
https://social.technet.microsoft.com/wiki/contents/articles/34464.remove-office-365-federation-from-adfs-server.aspx
My question is by performing the above steps, will the users now authenticate directly with Office 365 instead of the ADFS server and is there any other config required?
Thanks
Hi Berket2020
your best option is to open up ad connect and change to password hash sync and tick enable single sign on
but there is one step you need to remember , they key PowerShell command to remember is the below.
5) Set-MsolDomainAuthentication -DomainName Pelegit.co.il -Authentication Managed
the attached properly explains the procedure on removing adfs for office 365 authentication
https://pelegit.co.il/adfs-disable-office-365-sso/
by performing the steps in the attached guide the users will authenticate against office 365 instead of your adfs server.
Best Regards
Matthew Browne MCT
@AzureGuruMatt
Yes but there is more to consider.
First of all, you don't have to turn on/off the switch for everyone. You can use the Staged Rollout feature https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout. Quick explanation here but do read the link :) Normally what is telling the Azure AD if the user are authenticated in the cloud or on a federation server like AD FS is the domain name (the right part of the email/UPN). If you are bob@Company portal .com and that in Azure AD, contoso.com is marked as a managed domain, then we redirect you to the Azure AD login experience. If you are alice@fabrikam.com and fabrikam.com is a federated domain in Azure AD we redirect you to the federation service you have configured. This is called the Home Realm Discovery process. This in a nutshell, we use your domain name do discover when you come from and where you should go. When you enable the Staged Rollout, we are going to use your full name for that process. So you could have bob@Company portal .com and charles@Company portal .com in the same domain, but have a different sign-in experience. If you have added bob into your stagged roll out group, then bob will be having the Azure AD sign-in experience even if contoso.com is federated. And charles@Company portal .com will continue to go to AD FS. So this feature is here for you to test if your transition is ready without affecting all your user base. In other words, start with that.
Then, yes when you are confident you don't need AD FS anymore and you can configure your domain as managed. You can follow the instructions you found on that post, but quite frankly, you should use the Azure AD Connect Wizard. It has a section to change the authentication method for your users and will take care of the things without worring about the syntax etc...
@Pierre Audonnet - MSFT thank you for the info. What are the steps to do it via AD connect server? can you provide an article? or link
Launch the Azure AD Connect wizard.
Select Change user-sign.
Pick the method you want (you should be set to Federation with AD FS) at the moment. For example PHS:
Then Next and follow the steps.