Panic on board ADFS is down ! Power outage in the datacenter on a public holiday and no one can connect to cloud services OMG !
How to remove federation when ADFS is down ?
This will be a rather slow process but it’s possible, the only prerequist is to have Password Hash sync enabled on AADConnect.
First open the Azure Powershell prompt and connect with a cloud only account (or an account that is not federated) that has global admin priviledges.
Use the “Connect-MsolService”.
Next check existing domains with “Get-MsolDomain”, your domain should be marked as “Federated”.
Then you need two things, set authentication to Managed and convert existing accounts to Managed.
To set authentification use “Set-MsolDomainAuthentication -DomainName "mydomain.com" -Authentication Managed”, you can check behind that value has changed with “Get-MsolDomain”.
Ok so to force convertion of existing account you get to use “Convert-MsolDomainToStandard” but unfortunately it won’t because ADFS is down and this command needs it… (grrrrrr).
At this stage if you try to connect with a domain account you still get redirected to the outaged ADFS server because user account is not converte yet.
What I found out is that if you leave it as is accounts will get converted automatically by a background job but it can take several hours, it’s slow but in the end users get converted without the need of having the ADFS running.
If you’re in deep sh*t and really need to switch to Managed this is the way to go, at least it’s work for me.
If you have an other solution please comment
How to remove federation when ADFS is down ?
This will be a rather slow process but it’s possible, the only prerequist is to have Password Hash sync enabled on AADConnect.
First open the Azure Powershell prompt and connect with a cloud only account (or an account that is not federated) that has global admin priviledges.
Use the “Connect-MsolService”.
Next check existing domains with “Get-MsolDomain”, your domain should be marked as “Federated”.
Then you need two things, set authentication to Managed and convert existing accounts to Managed.
To set authentification use “Set-MsolDomainAuthentication -DomainName "mydomain.com" -Authentication Managed”, you can check behind that value has changed with “Get-MsolDomain”.
Ok so to force convertion of existing account you get to use “Convert-MsolDomainToStandard” but unfortunately it won’t because ADFS is down and this command needs it… (grrrrrr).
At this stage if you try to connect with a domain account you still get redirected to the outaged ADFS server because user account is not converte yet.
What I found out is that if you leave it as is accounts will get converted automatically by a background job but it can take several hours, it’s slow but in the end users get converted without the need of having the ADFS running.
If you’re in deep sh*t and really need to switch to Managed this is the way to go, at least it’s work for me.
If you have an other solution please comment
Comments