Convert a Managed Domain in Azure AD to a Federated Domain using ADFS for On-Premises Authentication – Step by Step



AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at (hosted at Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either as you do today, or at our new site Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!


Hi all! I am Bill Kral, a Microsoft Premier Field Engineer, here again to give you the steps to convert your on-premises Managed domain to a Federated domain in your Azure AD tenant this time.

Here is the link to my previous blog on how to convert from a Federated to Managed domain:

Convert a Federated Domain in Azure AD to Managed and Use Password Sync – Step by Step

There are many ways to allow you to logon to your Azure AD account using your on-premises passwords. You can use ADFS, Azure AD Connect Password Sync from your on-premises accounts or just assign passwords to your Azure account. In addition, Azure AD Connect Pass-Through Authentication is currently in preview, for yet another option for logging on and authenticating.

So, why would you convert your domain from Managed to Federated? Well, maybe you finally decided to invest in an ADFS environment. Maybe your company mandated that the storage of passwords in the cloud go against company policy, even though the hash of the hash of the password is what is really stored in Azure AD… and you may have your reasons for doing so. Either way, we’ll discuss how to get from a Managed domain to Federated domain in your Azure AD environment.

Let’s set the stage so you can follow along:

The on-premises Active Directory Domain in this case is US.BKRALJR.INFO

The AzureAD tenant is

We are using Azure AD Connect for directory synchronization (Password Sync currently is enabled)

We have setup an ADFS environment to federate the domain with the Azure AD Tenant

Before we start, you will need the following things installed on your ADFS Server to connect to your Azure AD tenant:

Microsoft Online Services Sign-In Assistant for IT Professionals RTW

Windows Azure Active Directory Module for Windows PowerShell .msi

  1. First, log on to your Azure Portal and see that the “Status” of your domain is Verified and the “Single Sign-On” for your custom domain show as Not Planned or Not Configured.

  2. Now, go to your Primary ADFS Server and lets connect to your Azure AD Tenant.
    1. On the Primary ADFS server, open an Administartor powershell window and import the MSOnline module

      Import-Module MSOnline

    2. Connect to your Azure AD Tenant

      Connect-MSOLService -> Enter your Azure AD credentials on the pop-up

  3. Once you are connected to your Azure AD Tenant, let’s make sure your domain is currently recognized as a “Managed” domain.

    Get-MsolDomain -Domainname
    -> Should show your domain as “Managed”

  4. Now we can make sure that the domain you are converting is currently NOT in the ADFS configuration.

    Get-MsolFederationProperty -Domainname -> Should show that domain does not exist in configuration

  5. So, now that we have connected to the Azure AD Tenant and confirmed that are domain configured as Managed, we can get to converting it to a “Federated” domain. When done, all of your Azure AD sync’d user accounts will authenticate to your on-premises Active Directory via ADFS.
    1. While still on your ADFS server, import the ADFS module

      Import-Module ADFS

    2. Run the command to convert your domain. Now, if you have a single top-level domain, you do not need to include the -SupportMultipleDomain switch. If you currently have or are planning to add additional domains to your ADFS / Azure AD federation, you will want to use it as I have.

      Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain -> (A successful updated message should be your result)

    3. Once this has completed, we can see the properties for the converted federation.

      Get-MsolFederationProperty -Domainname -> Should now not show the domain error we saw in step 4 and contain information for your domain under Microsoft Office 365 “Source” entry.

  6. Now, lets go back to your Azure Portal and see take a look at what the “Single Sign-On” status is for your custom domain now that you have converted it.

    As you can see, after a refresh and a little time for your commands to work their magic, my domain now shows the “Single Sign-On” as “Configured”

  7. You can now test logging on to with a sync’d account in your Azure AD Tenant. You should now see a re-direction to your ADFS environment while you are being authenticated.

That is pretty much it!!! Now, at this time, if you were replicating your passwords to Azure AD (or as most Microsoft folks like to say, the hash of the hash of the password), you may keep doing so to use as an authentication “backup” should your ADFS environment fail. This usage as a backup authentication does not happen automatically, but a powershell command will do the job when it is needed!!!

If you intend to disable replication of you on-premises passwords to you Azure AD Tenant, that can be accomplished through your Azure AD Connect configuration setup!!!

Once again, thanks for reading!!!