Users can no longer sign in after you run the convert-MSOLDomaintoFederated cmdlet to convert an existing domain

Article translations Article translations
Article ID: 2662960 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

During setup of single sign-on (SSO) in a Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune, you run the convert-MSOLDomaintoFederated cmdlet to convert an existing domain from standard authentication to federated authentication. However, after you do this, users who are associated with that domain can no longer access the cloud service. 

CAUSE

This issue occurs if SSO isn't set up correctly or if the setup isn't completed.

Warning It's a Microsoft best practice to always have at least one administrator user ID that's associated with the default domain so that administrative access to the organization isn't lost if SSO is compromised. 

SOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Troubleshoot SSO setup

Use this method only if all the following conditions are true:
  • The problem isn't caused by a service outage.
  • Immediately restoring user access isn't required.
To diagnose and troubleshoot SSO setup, see the following Microsoft Knowledge Base article:
2530569 Troubleshoot single sign-on setup issues in Office 365, Windows Intune, or Azure 

Method 2: Revert the domain federation back to standard authentication if the AD FS server isn't available

Use this method only if all the following conditions are true:
  • The problem is caused by a service outage that requires immediately restoring user access.
  • The AD FS server is unavailable.
If these conditions are true, reset the authentication setting for the domain and for each user account to use standard authentication. To do this, follow these steps:
  1. Start the Azure Active Directory Module for Windows PowerShell. To do this, click Start, click All Programs, click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. To convert the domain, run the following commands in the order in which they are presented. Press Enter after you type each command.
    1. $cred = Get-Credential
      When you're prompted, enter cloud service administrator credentials that are not SSO-enabled.
    2. Connect-MsolService –credential $cred
    3. Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>
      Note In this command, the placeholder <federated domain name> represents the name of the domain for which SSO isn't working.
  3. For each user who has a user principal name (UPN) suffix that's associated with the domain, run the following command:
    Convert-MSOLFederatedUser -UserPrincipalName <string>
    Note In this command, the placeholder <string> represents the value of the UPN for the user who is being converted.

MORE INFORMATION

Important In scenarios in which the last Microsoft cloud services organization administrator is assigned the domain suffix of a federated domain and in which that administrator becomes SSO-enabled, subsequent AD FS failures will limit running the connect-MSOLService cmdlet and may prevent the remediation of SSO problems. It's a best practice recommendation that Microsoft cloud services organization administrators always keep at least one global administrator account that isn't SSO-enabled to allow for troubleshooting SSO problems by using the Azure Active Directory Module for Windows PowerShell.

If this problem occurs, contact Microsoft Support to have the domain federation reversed temporarily so that the administrator (who is no longer SSO-enabled) can regain access to troubleshoot SSO-related problems.

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2662960 - Last Review: July 9, 2014 - Revision: 26.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365a o365022013 o365e o365m KB2662960

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com