Warning It's a Microsoft best practice to always have at least one administrator user ID that's associated with the default domain so that administrative access to the organization isn't lost if SSO is compromised.
Method 1: Troubleshoot SSO setupUse this method only if all the following conditions are true:
- The problem isn't caused by a service outage.
- Immediately restoring user access isn't required.
Method 2: Revert the domain federation back to standard authentication if the AD FS server isn't availableUse this method only if all the following conditions are true:
- The problem is caused by a service outage that requires immediately restoring user access.
- The AD FS server is unavailable.
- Start the Azure Active Directory Module for Windows PowerShell. To do this, click Start, click All Programs, click Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell, and then click Run as administrator.
- To convert the domain, run the following commands in the order in which they are presented. Press Enter after you type each command.
$cred = Get-CredentialWhen you're prompted, enter cloud service administrator credentials that are not SSO-enabled.
Connect-MsolService –credential $cred
Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>Note In this command, the placeholder <federated domain name> represents the name of the domain for which SSO isn't working.
- For each user who has a user principal name (UPN) suffix that's associated with the domain, run the following command:
Convert-MSOLFederatedUser -UserPrincipalName <string>Note In this command, the placeholder <string> represents the value of the UPN for the user who is being converted.
If this problem occurs, contact Microsoft Support to have the domain federation reversed temporarily so that the administrator (who is no longer SSO-enabled) can regain access to troubleshoot SSO-related problems.
ID articolo: 2662960 - Ultima revisione: 28 dic 2016 - Revisione: 1