Diberdayakan oleh Blogger.

Office 365 - Disable Federation (ADFS)

SSO (Single Sign On) for Office 365 is usually provided by Active Directory Federation Services (ADFS).

Note: see this blog post for a description of SSO:

Office 365 - Hybrid Migration - Part 1: ADFS configuration

However, we may opt for another SSO service such as those of third-party providers OneLogin or Okta (these are the two "big names" in the identity provider business). If we have not implemented ADFS, we would simply configure the third-party system as directed. If we do have ADFS in place, we have to disable federation in Office 365 before implementing the third-party solution. This process is sometimes called "defederation".

As for DirSync, we may retain it as a solution, or not, depending on our needs. I may address that aspect in another blog post. For now, I will concentrate on ADFS.

In the following paragraphs, I'll outline the procedure to disable federation with ADFS and thus allow use of a third-party tool.

First, we open the Windows Azure Active Directory Module for PowerShell:




We then import the MSOnline module which allows us to execute commands in our Cloud environment (Office 365):

Import-Module MSOnline


We then connect to the online service:

Connect-MsolService


At this point, we have to enter Global Administrator credentials for the domain we want to manage.




This would be something like:

User: GlobalAdminName@YourO365Domain.onmicrosoft.com
Password: **********


We then verify which domains are federated with the following cmdlet:

Get-MsolDomain


In my case, it is the mitserv.net domain that is federated:


Note: I added... | format-list name,status.auth* so all the output would be neatly aligned to the left. Otherwise, by default, authentication displays on the far right on the screen


We have to connect to the ADFS server from O365 at this time:

Set-MsolADFSContext -Computer ADFS-1

Note: ADFS-1 is the name of my ADFS server.


And now, we can convert the domain to standard (as opposed to federated):

Convert-MsolDomainToStandard -DomainName mitserv.net -SkipUserConversion:$true -PasswordFile C:\userpasswords.txt

Note: we can name the password text file to whatever we want. In my case, this file was not even created.


We should obtain a result like this (click to enlarge):




Apparently, we still need to execute one more cmdlet to set domain authentication to "managed" even though the preceding cmdlet seems to do this (note the output above):

Set-MsolDomainAuthentication -Authentication Managed -DomainName mitserv.net


Now users can logon to Office 365 / Exchange Online even if the ADFS server is unavailable. That is because they authenticate against Azure Active Directory to which their passwords have been synchronized via DirSync.

This is what the user will see:



When they start to enter their password, they will no longer be redirected to an ADFS server but will be able to continue to enter their credentials as shown above.

And despite the absence of an ADFS server (currently powered off), they can indeed access their email:





***

Of course, we no longer have SSO and users will have to enter their credentials every time they access their email (or other Office 365 services). If this is not acceptable, we either have to retain ADFS or implement a third-party service such as those offered by OneLogin or Okta.
Thank you for reading the article about Office 365 - Disable Federation (ADFS) on the blog NEW TECH If you want to disseminate this article on please list the link as the source, and if this article was helpful please bookmark this page in your web browser by pressing Ctrl + D on your keyboard keys.

New articles :