This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 68%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Hi All,
The requirement is to convert the authentication method for users from PHS to ADFS, then set the PHS as the back up method of authentication in case of ADFS failure.
We have the existing ADFS setup in place without federation between on premises and Azure AD, and we have the latest version of Azure AD connect server running (2.1.1.0 ), but wanted to understand, do we have any options in Azure AD connect server to federate multiple top level domains or the recommended method is only to go with PowerShell i.e Convert-MSOLDomainToFederated with -SupportMultipleDomain for all the verified domains ?
Please share your thoughts.
Well, um. My thoughts, honestly. Why would you do this? If you are using PHS now, why go back to ADFS?
Hi Andy,
The decision was made by our top management and i cannot change it unfortunately. Also they have the existing ADFS infrastructure in place and now they wanted to enable federation between on premises ADFS and Azure AD.
I agree with Andy - we have been moving clients away from ADFS to the more modern auth methods for the last couple of years now. If you need to honour user account expiry AD Connect can now be configured to do this with PHS, but if there is a hard requirement to use your on-premises AD for authentication, use PTA.
If you have to do it (I would try and explain that the 'trend' is to move away from ADFS these days!)... here are the commands I used a few years back for what sounds like a similar setup (you can perform initial configuration via AD Connect and use commands as needed)
Import-Module MSOnline
$domain = 'domain'
$cred = Get-Credential
Connect-MsolService –Credential $cred
Convert-MsolDomainToFederated –DomainName $domain
Set-MsolFederatedDomain -DomainName $domain -SupportMultiDomain
Get-MsolDomain
Get-ADFSRelyingPartyTrust
Get-MSOLFederationProperty -DomainName $domain
Get-MsolDomainFederationSettings -DomainName $domain
Set-MsolDomainAuthentication -Authentication Managed -DomainName $domain
Initialize-ADDeviceRegistration
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + "Mozilla/5.0" + "Edge/12")