Although AD FS can offer a much better user
experience with Single Sign On to applications such as Office 365, it does have
it's faults. For example if you have ADFS deployed and configured to provide
SSO to Office 365, users are only able to authenticate to the Office 365
tenancy if the ADFS service is online. Therefore no ADFS, no Office 365, which
means no Exchange, SharePoint etc. If your ADFS service goes offline and you
still require access to Office 365 (which you likely are) the following
procedure can be carried out to switch the Office 365 tenancy back to a
"managed domain" which basically means it no longer relies on ADFS.
The DirSync configuration you choose here is
important, it is recommended to enable Password Sync, this is so that users can
login with their same username and password if you have to break the ADFS
relationship. This is known as Same Sign On.
Lets first check the status of our ADFS and
Office 365, so connect to it using PowerShell.
Use the Get-MsolDomain command to view if
Federation is currently in operation. As you will notice it is for this
environment.
To simulate my ADFS service going offline I have
down powered both the ADFS and WAP server, as you can see from VMware
Workstation.
Now if I try to login to Office 365 from a
domain-joined computer using SSO it fails.
This is where it gets a little complicated, there
are a number of commands on the internet that are supposed to do this, convert
from a federated domain to standard. As you can see if you run the command Convert-MsolDomainToStandard
-DomainName edin-networks.com -SkilpUserConversion $False -PasswordFile
C:\Passwords.txt when ADFS is offline you will recieve the following error.
The work around here is to install and configure
ADFS on any other server in the domain, in this example I have thrown the ADFS
role onto a domain controller.
Run through the configuration wizard so that it
mirrors the original ADFS setup, but don't forget this wont have the Relay
Trust associated with Office 365.
Once it is done use the following command;
Set-MsolDomainAuthentication –DomainName
edin-networks.com –Authentication Managed
|
This command will convert the federated domain to
an Office 365 manage domain, and if you have Password Sync configured with
DirSync users should be able to login using their normal network passwords.
Run this command to verify that the conversion
has carried out successfully.
Get-MsolDomain
|
Now lets test, as you can see my ADFS
infrastructure is still offline, now browse to the Office 365 login page. It no
longer directs me to the ADFS service name and I am free to enter my
credentials.
The credentials that are valid will only the from
the last DirSync, so if you DirSync has not worked for a while you may find
some users have to use old network passwords. It is worth ensuring DirSync is
managed and available as this procedure can be a good saving if your ADFS
infrastructure fails.
Office 365 access, ADFS failure, ADFS down, Office 365 authentication
Office 365 access, ADFS failure, ADFS down, Office 365 authentication
