Convert a Managed Domain in Azure AD to a Federated Domain using ADFS for On-Premises Authentication – Step by Step

Hi all! I am Bill Kral, a Microsoft Premier Field Engineer, here again to give you the steps to convert your on-premises Managed domain to a Federated domain in your Azure AD tenant this time.

Here is the link to my previous blog on how to convert from a Federated to Managed domain:

Convert a Federated Domain in Azure AD to Managed and Use Password Sync – Step by Step

https://blogs.technet.microsoft.com/askpfeplat/2016/12/19/convert-a-federated-domain-in-azure-ad-to-managed-and-use-password-sync-step-by-step/

There are many ways to allow you to logon to your Azure AD account using your on-premises passwords. You can use ADFS, Azure AD Connect Password Sync from your on-premises accounts or just assign passwords to your Azure account. In addition, Azure AD Connect Pass-Through Authentication is currently in preview, for yet another option for logging on and authenticating.

So, why would you convert your domain from Managed to Federated? Well, maybe you finally decided to invest in an ADFS environment. Maybe your company mandated that the storage of passwords in the cloud go against company policy, even though the hash of the hash of the password is what is really stored in Azure AD… and you may have your reasons for doing so. Either way, we’ll discuss how to get from a Managed domain to Federated domain in your Azure AD environment.

Let’s set the stage so you can follow along:

The on-premises Active Directory Domain in this case is US.BKRALJR.INFO

The AzureAD tenant is BKRALJRUTC.onmicrosoft.com

We are using Azure AD Connect for directory synchronization (Password Sync currently is enabled)

We have setup an ADFS environment to federate the domain with the Azure AD Tenant

Before we start, you will need the following things installed on your ADFS Server to connect to your Azure AD tenant:

Microsoft Online Services Sign-In Assistant for IT Professionals RTW

https://www.microsoft.com/en-us/download/details.aspx?id=41950

Windows Azure Active Directory Module for Windows PowerShell .msi

http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185

  1. First, log on to your Azure Portal and see that the “Status” of your domain is Verified and the “Single Sign-On” for your custom domain show as Not Planned or Not Configured.


  2. Now, go to your Primary ADFS Server and lets connect to your Azure AD Tenant.
    1. On the Primary ADFS server, open an Administartor powershell window and import the MSOnline module

      Import-Module MSOnline

    2. Connect to your Azure AD Tenant

      Connect-MSOLService -> Enter your Azure AD credentials on the pop-up


  3. Once you are connected to your Azure AD Tenant, let’s make sure your domain is currently recognized as a “Managed” domain.

    Get-MsolDomain -Domainname domain.com
    -> Should show your domain as “Managed”


  4. Now we can make sure that the domain you are converting is currently NOT in the ADFS configuration.

    Get-MsolFederationProperty -Domainname domain.com -> Should show that domain does not exist in configuration


  5. So, now that we have connected to the Azure AD Tenant and confirmed that are domain configured as Managed, we can get to converting it to a “Federated” domain. When done, all of your Azure AD sync’d user accounts will authenticate to your on-premises Active Directory via ADFS.
    1. While still on your ADFS server, import the ADFS module

      Import-Module ADFS

    2. Run the command to convert your domain. Now, if you have a single top-level domain, you do not need to include the -SupportMultipleDomain switch. If you currently have or are planning to add additional domains to your ADFS / Azure AD federation, you will want to use it as I have.

      Convert-MsolDomainToFederated -DomainName domain.com -SupportMultipleDomain -> (A successful updated message should be your result)


    3. Once this has completed, we can see the properties for the converted federation.

      Get-MsolFederationProperty -Domainname domain.com -> Should now not show the domain error we saw in step 4 and contain information for your domain under Microsoft Office 365 “Source” entry.


  6. Now, lets go back to your Azure Portal and see take a look at what the “Single Sign-On” status is for your custom domain now that you have converted it.


    As you can see, after a refresh and a little time for your commands to work their magic, my domain now shows the “Single Sign-On” as “Configured”

  7. You can now test logging on to myapps.microsoft.com with a sync’d account in your Azure AD Tenant. You should now see a re-direction to your ADFS environment while you are being authenticated.


That is pretty much it!!! Now, at this time, if you were replicating your passwords to Azure AD (or as most Microsoft folks like to say, the hash of the hash of the password), you may keep doing so to use as an authentication “backup” should your ADFS environment fail. This usage as a backup authentication does not happen automatically, but a powershell command will do the job when it is needed!!!

If you intend to disable replication of you on-premises passwords to you Azure AD Tenant, that can be accomplished through your Azure AD Connect configuration setup!!!

Once again, thanks for reading!!!