Wednesday 29 July 2015

Remove ADFS federation and revert to Same Sign On with password sync after ADFS failure

Although AD FS can offer a much better user experience with Single Sign On to applications such as Office 365, it does have it's faults. For example if you have ADFS deployed and configured to provide SSO to Office 365, users are only able to authenticate to the Office 365 tenancy if the ADFS service is online. Therefore no ADFS, no Office 365, which means no Exchange, SharePoint etc. If your ADFS service goes offline and you still require access to Office 365 (which you likely are) the following procedure can be carried out to switch the Office 365 tenancy back to a "managed domain" which basically means it no longer relies on ADFS.
The DirSync configuration you choose here is important, it is recommended to enable Password Sync, this is so that users can login with their same username and password if you have to break the ADFS relationship. This is known as Same Sign On.

Lets first check the status of our ADFS and Office 365, so connect to it using PowerShell.

Use the Get-MsolDomain command to view if Federation is currently in operation. As you will notice it is for this environment. 

To simulate my ADFS service going offline I have down powered both the ADFS and WAP server, as you can see from VMware Workstation. 

Now if I try to login to Office 365 from a domain-joined computer using SSO it fails.

This is where it gets a little complicated, there are a number of commands on the internet that are supposed to do this, convert from a federated domain to standard. As you can see if you run the command Convert-MsolDomainToStandard -DomainName -SkilpUserConversion $False -PasswordFile C:\Passwords.txt when ADFS is offline you will recieve the following error.

The work around here is to install and configure ADFS on any other server in the domain, in this example I have thrown the ADFS role onto a domain controller.

Run through the configuration wizard so that it mirrors the original ADFS setup, but don't forget this wont have the Relay Trust associated with Office 365. 

Once it is done use the following command;
Set-MsolDomainAuthentication –DomainName –Authentication Managed

This command will convert the federated domain to an Office 365 manage domain, and if you have Password Sync configured with DirSync users should be able to login using their normal network passwords.
Run this command to verify that the conversion has carried out successfully.

Now lets test, as you can see my ADFS infrastructure is still offline, now browse to the Office 365 login page. It no longer directs me to the ADFS service name and I am free to enter my credentials.

The credentials that are valid will only the from the last DirSync, so if you DirSync has not worked for a while you may find some users have to use old network passwords. It is worth ensuring DirSync is managed and available as this procedure can be a good saving if your ADFS infrastructure fails. 

Office 365 access, ADFS failure, ADFS down, Office 365 authentication