Article ID: 2662960 - View products that this article applies to.
During setup of single sign-on (SSO) in a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune, you run the convert-MSOLDomaintoFederated cmdlet to convert an existing domain from standard authentication to federated authentication. However, after you do this, users who are associated with that domain can no longer access the cloud service.
This issue occurs if SSO isn't set up correctly or if the setup isn't completed.
Warning It's a Microsoft best practice to always have at least one administrator user ID that's associated with the default domain so that administrative access to the organization isn't lost if SSO is compromised.
To resolve this issue, use one of the following methods, as appropriate for your situation.
Method 1: Troubleshoot SSO setupUse this method only if all the following conditions are true:
(http://support.microsoft.com/kb/2530569/ )Troubleshoot single sign-on setup issues in Office 365, Intune, or Azure
Method 2: Revert the domain federation back to standard authentication if the AD FS server isn't availableUse this method only if all the following conditions are true:
Important In scenarios in which the last Microsoft cloud services organization administrator is assigned the domain suffix of a federated domain and in which that administrator becomes SSO-enabled, subsequent AD FS failures will limit running the connect-MSOLService cmdlet and may prevent the remediation of SSO problems. It's a best practice recommendation that Microsoft cloud services organization administrators always keep at least one global administrator account that isn't SSO-enabled to allow for troubleshooting SSO problems by using the Azure Active Directory Module for Windows PowerShell.
If this problem occurs, contact Microsoft Support to have the domain federation reversed temporarily so that the administrator (who is no longer SSO-enabled) can regain access to troubleshoot SSO-related problems.
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2662960 - Last Review: December 12, 2014 - Revision: 28.0