Manage single sign-on in Azure AD
Updated: July 30, 2015
Applies To: Azure, Azure Active Directory, Office 365, Windows Intune
Manage single sign-on
Use the following cmdlets to perform tasks related to single sign-on, such as adding a new single sign-on domain (also known as identity-federated domain) to Azure AD.
| Windows PowerShell cmdlet | Description |
|---|---|
The New-MsolFederatedDomain cmdlet adds a new single sign-on domain (also known as identity-federated domain) to Azure AD and configures the relying party trust settings between the on-premises Active Directory Federation Services 2.0 server and Azure AD. Due to domain verification requirements, you may need to run this cmdlet several times in order to complete the process of adding the new single sign-on domain. |
|
The Convert-MsolDomainToStandard cmdlet converts the specified domain from single sign-on (also known as identity federation) to standard authentication. This process also removes the relying party trust settings in the Active Directory Federation Services 2.0 server and Azure AD. After the conversion, this cmdlet will convert all existing users from single sign-on to standard authentication. Any existing user who was configured for single sign-on will be given a new temporary password as part of the conversion process. Each converted user name and new temporary password will be recorded in a file for reference by the administrator. The administrator can then distribute the new temporary password to each converted user to enable the user to sign in to the cloud service. |
|
The Convert-MsolDomainToFederated cmdlet converts the specified domain from standard authentication to single sign-on (also known as identity federation), including configuring the relying party trust settings between the Active Directory Federation Services 2.0 server and Azure AD. As part of converting a domain from standard authentication to single sign-on, each user must also be converted. This conversion happens automatically the next time a user signs in; no action is required by the administrator. |
|
The Get-MsolFederationProperty cmdlet gets key settings from both the Active Directory Federation Services 2.0 server and Azure AD. You can use this information to troubleshoot authentication problems caused by mismatched settings between the Active Directory Federation Services 2.0 server and Azure AD. |
|
The Get-MsolDomainFederationSettings cmdlet gets key settings from Azure AD. Use the Get-MsolFederationProperty cmdlet to get settings for both Azure AD and the Active Directory Federation Services server. |
|
The Remove-MsolFederatedDomain cmdlet removes the specified single sign-on domain from Azure AD and the associated relying party trust settings in Active Directory Federation Services 2.0. Note: If the domain specified has objects associated with it, you will not be able to remove the domain. |
|
The Set-MsolDomainFederationSettings cmdlet is used to update the settings of a single sign-on domain. |
|
The Set-MsolADFSContext cmdlet sets the credentials to connect to Azure AD and to the Active Directory Federation Services 2.0 (AD FS 2.0) server. This cmdlet must be run before making other single sign-on (also known as identity federation) cmdlet calls. If this cmdlet is called without parameters, the user will be prompted for credentials to connect to the different systems. When the AD FS 2.0 server is used remotely, the user must specify the computer name of the primary AD FS 2.0 server. Note that the specified logfile is shared by all single sign-on cmdlets for the session. A default logfile is created if one is not specified. |
|
The Update-MsolFederatedDomain cmdlet changes settings in both the Active Directory Federation Services 2.0 server and Azure AD. It is necessary to run this cmdlet whenever the URLs or certificate information within Active Directory Federation Services 2.0 change due to configuration changes or through regular maintenance of the certificates, such as when a certificate is about to expire. This cmdlet should also be run when changes occur in Azure AD. To confirm that the information in the two systems is correct, the Get-MsolFederationProperty cmdlet can be used to retrieve the settings. |