Changing your federation and directory sync configuration if ADFS is offline

ADFS logo

 

There are many different potential scenarios where you may need to reconfigure your ADFS federation or directory sync configuration using Azure AD Connect. Assuming that you have ADFS enabled already, you may wish to change the configuration because ADFS is down for an extended period of time, or you may be moving from ADFS to another technology such as Server Essentials

If you use ADFS to provide federated authentication to Office 365 and Azure services and applications, a failure of your ADFS infrastructure could render these applications crippled. Even if you have a resilient ADFS infrastructure, you can add further resilience to your Business Continuity plans by also configuring Password Hash Sync. This stores a hash of user passwords in the cloud. Whilst the plain text password is never synced to Azure, and the hash cannot be used to authenticate directly to your on-premises AD, you should check with your security department whether there are any issues enabling this feature.

Preparation

Firstly, check that you do indeed have federation enabled. Hopefully, you have cloud managed (onmicrosoft.com) admin accounts so that you can still logon to your tenant.

Check your AD federation status

Connect to Office 365 using PowerShell and then run:

1
Get-msoldomain

You can see that your domain is configured for federation:

1
2
3
4
5
6
7
PS C:\ get-msoldomain

Name                         Status   Authentication

----                         ------   --------------

cloudrun.uk                  Verified Federated

 

Check your Azure AD Connect (Directory Sync) status

This will confirm whether you have Azure AD Connect configured:

1
(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

This will tell you whether you also have Password Sync enabled.

1
(get-msolcompanyinformation).PasswordSynchronizationEnabled

Configure Azure AD Connect to sync passwords

Hopefully, you are preparing for an ADFS outage, in which case if you do not have Password Sync enabled, you should enable it. To do this, run should run the Azure AD Connect wizard and enable Password Hash Synchronization on the Option Feature page:

From <https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-install-custom>

However, if you have come here because everything is offline, and want users to be able to get back into their accounts, we can fix that as well.

Temporarily disabling federation (ADFS offline)

If the ADFS server is not available because of a failure, you can convert the domain to Standard which will enable users to logon to Office 365 / Azure AD again. Note that this setting will only update the settings in Azure AD and does not clean up ADFS, so you should only use this if ADFS is completely offline. You can either leave it offline, or later reconnect it.

Change the domain authentication type

1
Set-MsolDomainAuthentication –DomainName &lt;domain&gt; –Authentication Managed

Now run get-msoldomain and you will see that the status has changed:

1
2
3
4
5
6
7
get-msoldomain

Name                         Status   Authentication

----                         ------   --------------

cloudrun.uk                  Verified Managed

Now, if you never had password sync configured, you will have a problem, because users won’t know what their passwords are.

You can either go into Azure AD and reset user’s passwords individually, and then communicate the temporary password to them at which point they can sign in and create a new password. They will also have to configure MFA if not already and that is a requirement.

Alternatively you could reset them all using a script and CSV file, for example:

1
2
3
4
5
6
7
8
9
Import-Csv 'C:\usernames.csv' | ForEach-Object {

$upn = $_."UserPrincipalName"

$password = $_."Password"

Set-MsolUserPassword -UserPrincipalName $upn –NewPassword $password -ForceChangePassword $True

}

Note that you could specific ForceChangePassword $False if you don’t want users to have to reset their passwords when the first log on.

You could also do get-msoluser and pipe to set-msoluserpassword, but be careful as you will reset the password on your admin accounts as well.

Disabling Dirsync

If you do not want to recover ADFS or dirsync, you can move the whole tenant to a cloud only configuration. You have already disabled federation, so all you now need to do is disable dirsync, and you will be able to fully manage your accounts in the cloud.

So to completely stop directory synchronisation, in case you are removing Azure AD Connect (e.g. going from Azure AD Connect dirsync to Server Essentials role), use this command. In order to reverse this, you can run AADC setup again, or just run this again with $true in case AADC was just down.

1
Set-msoldirsyncenabled -enabledirsync $false

Note that the last passwords which synced prior to the remove of AADC will remain in place. If you ever wanted to put directory sync back, you could reinstall Azure AD Connect and it should match up all the user accounts and take over the synchronisation, i.e. they go from being cloud accounts back to on-premises managed.

Again check the status by running (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Disabling federation (ADFS online)

If ADFS is online and want to remove federation, the proper way to do is using Convert-MsolDomainToStandard, since this cleans up ADFS and removes the relying party trust settings from your ADFS config. This requires a connection to both the ADFS server and Azure AD to complete successfully.

See https://msdn.microsoft.com/en-us/library/dn194122.aspx?f=255&MSPPError=-2147217396 for more info on the Convert-MsolDomainToStandard cmdlet.

Note that if you were using password hash sync, these passwords will be retained. The associated user accounts cannot be used until using the Convert-MsolFederatedUser cmdlet.

1
Convert-MSOLDomainToStandard –DomainName [federated domain name] -SkipUserConversion $true -PasswordFile c:\userpasswords.txt

Note that according to the latest Microsoft documentation,  converting users is now deprecated, so this should always be set to -SkipUserConversion $true should always be used.

Each user account is then converted to use standard authentication, although this is normally not required.

1
Convert-MsolFederatedUser -UserPrincipalName <a href="mailto:user@domain.com">user@domain.com</a>

This last command also appears to create a temporary password and so needs testing to see what happens if the user had a password set using Azure AD sync.

You can then reinstate ADFS again using Convert-MsolDomainToFederated or running the Azure AD Connect setup again.

Reinstating ADFS and Dirsync

Once your infrastructure is online, convert the domain back to use federated authentication by using the Convert-MsolDomainToFederated cmdlet. This has to be done on your ADFS server, on a server with the Micosoft Online Services Sign-In Assistant powershell module installed (see https://www.microsoft.com/en-us/Download/details.aspx?id=28177 and run install-module msonline once installed).

Run the following command on your ADFS server:

1
Convert-MsolDomainToFederated –DomainName [federated domain name]

Now check again and you should see your domain is federated.

If you disabled directory sync, run this command:

1
Set-msoldirsyncenabled -enabledirsync $true

Now check in Azure AD > Azure AD Connect, you should see that Sync is enabled, and federation is enabled again.

Changing the ADFS Server URL

Note that if you are replacing your ADFS infrastructure or changing the ADFS URL for any other reason, you can easily update the ADFS URL in Azure AD as follows:

1
Set-MsolADFSContext –Computer sts.domain.com

References:

Microsoft have created a new set of guides here:

https://github.com/Identity-Deployment-Guides/Identity-Deployment-Guides/tree/master/Authentication

DirSync: How To Switch From Single Sign-On To Password Sync

https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx

The older documentation is here, but this is now out of date information:

https://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx

Posted in ADFS, Office 365

Related Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: