Change User Sign In method from Password hash Synchronization to Federate with ADFS

Nithyanandham Singaravadivelu 1 Reputation point
2022-04-02T07:36:48.357+00:00

Hi All,

We have a requirement, users in the environment is currently using the primary Authentication method as Password hash synchronization, which has to be changed to ADFS authentication.

In the current environment we have existing ADFS infrastructure in place but there is no federation trust configured between On premises AD and Azure AD.

In addition to that, there are multiple custom domains added as verified domains in Azure AD, which are currently setup with the domain type as "Managed"

Can I use the option "Change user Sing in" on the Azure AD connect server to change the authentication method from "Password Hash Synchronization" to "Federate with ADFS", would it help us to configure the federation trust between On premises AD and Azure AD and then it sets the ADFS as the primary authentication for users ?

As we have multiple domains verified in Azure AD, When we go with the option "change user sign in" in the Azure AD connect server ? Does the Azure AD connect server create the federation trust in the backend using the switch -SupportMultipleDomain ?

If yes, is there any option available in the Azure AD connect server, to convert the other verified domains from managed to federated ?

Please help us with your inputs.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,544 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Devaraj G 2,091 Reputation points
    2022-04-03T10:33:43.147+00:00

    Hi,

    Yes, You can leverage the below command to convert the domain.

    Convert-MsolDomainToFederated -DomainName test.com -SupportMultipleDomain

    The Convert-MSOLDomainToFederated cmdlet converts the specified domain from standard authentication to single sign-on. Execute covert command for for other domains.
    As part of converting a domain from standard authentication to single sign-on, each user must also be converted. This conversion happens automatically the next time a user signs in.
    It usually takes ~30 minutes for the entire process complete. sometime can take longer time based on tenent user objects size and other factors.

    Note : Password hash synchronization will be used as backup if the option is still enabled along with fedration.