Users can no longer access Office 365 after you run the convert-MSOLDomaintoFederated cmdlet to convert an existing domain

Article translations Article translations
Article ID: 2662960 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

During setup of single sign-on (SSO) in Microsoft Office 365, you run the convert-MSOLDomaintoFederated cmdlet to convert an existing domain from standard authentication to federated authentication. However, after you do this, users who are associated with that domain can no longer access Office 365.

CAUSE

This issue occurs if Office 365 SSO isn't set up correctly or if the setup isn't completed.

Note SSO isn't supported for Office 365 Small Business and Office 365 for small businesses (pre-upgrade).

Warning It's a Microsoft best practice in Office 365 to always have at least one administrator user ID that is associated with the default domain so that administrative access to the organization isn't lost if SSO is compromised.

SOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Troubleshoot SSO setup

Use this method only if all the following conditions are true:
  • The problem isn't caused by a service outage.
  • Immediately restoring user access isn't required.
  • The account is an Office 365 for enterprises account.
To diagnose and troubleshoot SSO setup, click the following article number to view the article in the Microsoft Knowledge Base:
2530569 Troubleshoot single sign-on setup issues in Office 365, Windows Intune, or Windows Azure

Method 2: Reverse the domain federated authentication settings for the Office 365 account domain if the AD FS server is available

Use this method only if all the following conditions are true:
  • The problem is caused by a service outage that requires immediately restoring user access, or the account is an Office 365 small businesses (pre-upgrade) account.
  • The Active Directory Federation Services (AD FS) server is available.
If these conditions are true, reset the authentication setting for the domain to standard authentication. To do this, follow these steps:
  1. Start the Windows Azure Active Directory Module for Windows PowerShell. To do this, click Start, point to All Programs, click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. Run the following commands in the order in which they are presented. Press Enter after you type each command.
    1. $cred = Get-Credential
      When you're prompted, enter Office 365 administrator credentials that are not SSO-enabled.
    2. Connect-MsolService –credential $cred
    3. Set-MsolADFSContext –Computer <AD FS 2.0 server name>
      Note In this command, the placeholder <AD FS 2.0 server name> represents the name of the primary AD FS server.
    4. Convert-MSOLDomainToStandard –DomainName <federated domain name> -SkipUserConversion [$true|$false] -PasswordFile c:\userpasswords.txt
      Note In this command, the placeholder <federated domain name> represents the name of the domain for which SSO isn't working.

      This command removes the Rely Party Trust information from the Office 365 authentication system federation service and the on-premises AD FS federation service. The -PasswordFile parameter indicates the path of the text file that contains the newly created temporary password of each formerly federated user’s account.

      If the -SkipUserConversion:$true parameter is used, no password file is generated, and the user accounts that are associated with the domain are unusable. That is, the user accounts don't have access to Office 365 resources until the following conditions are true:
      • The domain is converted back to use federated authentication by using the Convert-MSOLDomainToFederated cmdlet.
      • Each user account is converted to use standard authentication by using the Convert-MSOLFederatedUser cmdlet.

Method 3: Reverse the domain federated authentication settings for the Office 365 domain if the AD FS server isn't available

Use this method only if all the following conditions are true:
  • The problem is caused by a service outage that requires immediately restoring user access, or the account is an Office 365 small businesses (pre-upgrade) account.
  • The AD FS server is unavailable.
If these conditions are true, reset the authentication setting for the domain and for each user account to use standard authentication. To do this, follow these steps:
  1. Start the Windows Azure Active Directory Module for Windows PowerShell. To do this, click Start, click All Programs, click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. To convert the domain, run the following commands in the order in which they are presented. Press Enter after you type each command.
    1. $cred = Get-Credential
      When you're prompted, enter Office 365 administrator credentials that are not SSO-enabled.
    2. Connect-MsolService –credential $cred
    3. Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>
      Note In this command, the placeholder <federated domain name> represents the name of the domain for which SSO isn't working.
  3. For each user who has a user principal name (UPN) suffix that is associated with the domain, run the following command:
    Convert-MSOLFederatedUser -UserPrincipalName <string>
    Note In this command, the placeholder <string> represents the value of the UPN for the user who is being converted.

MORE INFORMATION

Important In scenarios in which the last Microsoft cloud services organization administrator is assigned the domain suffix of a federated domain and in which that administrator becomes SSO-enabled, subsequent AD FS failures will limit running the connect-MSOLService cmdlet and may prevent the remediation of SSO problems. It's a best practice recommendation that Microsoft cloud services organization administrators always keep at least one global administrator account that isn't SSO-enabled to allow for troubleshooting SSO problems by using the Windows Azure Active Directory Module for Windows PowerShell.

If this problem occurs, contact Microsoft Support to have the domain federation reversed temporarily so that the administrator (who is no longer SSO-enabled) can regain access to troubleshoot SSO-related problems.

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.

Properties

Article ID: 2662960 - Last Review: March 6, 2014 - Revision: 23.0
Applies to
  • Windows Azure
  • Microsoft Office 365
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • CRM Online via Office 365 E Plans
  • Windows Azure Recovery Services
Keywords: 
o365 o365a o365022013 after upgrade o365062011 pre-upgrade o365e o365m KB2662960

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com