Switching from Federated to Cloud Auth (AD FS to Dirsync/AADSync + Password Hash Sync or Password Hash Sync Failover)
A few years ago, we released "DirSync with Password Hash Synchronization," and it was kind of an all-or-nothing choice. You could either have a synchronized account database with synchronized password hashes (so users would authenticate in the cloud), or a federated environment. In federated Office 365 environments, Office 365 points to an on-premise Active Directory environment (presented by Active Directory Federation Services) to authenticate users. This is what gives you the "single sign-on" experience. However, in the event that the AD FS environment fails or becomes unavailable due to internal or external networking events, Office 365 users will be unable to authenticate and access services.
This makes users angry.
If you think you are going to experience an extended outage and don't already have a geo-redundant AD FS deployment, this is the next best thing.
Prequisites
- DirSync / AADConnect configured with PasswordHash Sync
- AD FS configured and enabled for your domain
- Global Admin account with managed domain suffix (user@tenant.onmicrosoft.com)
Steps
AD FS to Password Hash Sync
- Install Windows Azure AD Cmdlets (https://aka.ms/aadposh).
- Launch Azure AD shell and connect to Microsoft Online from any machine.
- $cred = Get-Credential
- Connect-MsolService -Credential $cred
- $domains = (get-msoldomain).Name | where { $_ -notlike "*onmicrosoft.com" }
- foreach ($domain in $domains) { Set-MsolDomainAuthentication $domain -Authentication Managed }
Reconfigure AD FS
Once the AD FS environment is rebuilt/restored:
- Launch Azure AD shell as Administrator and connect to Microsoft Online from AD FS farm server.
- $cred = Get-Credential
- Connect-MsolService -Credential $cred
- Convert-MsolDomainToFederated -DomainName <top-level domain.com> -SupportMultipleDomain