Blog

Netflex Blog

Stefan ten Hoeve

Turn off ADFS for o365 when ADFS servers are not reachable.

office365

When there is a problem with your ADFS server(s) or your internet connection, there is no authentication possible on ADFS. Users are not able to login to their mail, use Skype For Business or Sharepoint.

When this happens, it is good to know there is an easy way to turn federation off and on again in powershell without requiring a connection to the ADFS server.

Before you start, make sure you had password sync enabled on the AAD Connect server. If not, you will have to set a new password for every user after disabling federation.

 

Turn (ADFS) federation off

To turn federation off, create a connection to you o365 environment:

Make sure you installed the “Windows Azure Acrtive Directory Module for Windows Powershell”

WAAD

Right click the icon and run as Administrator.

Run the following commands in the powershell window:

  • Set the credential variable:

$cred=Get-Credential

  • Enter a Global Administrator account from Office 365. Do not use a federated account to login.

For example: use an account like “user@domain.onmicrosoft.com” and not “user@yourdomain.com”.

O365 Login

  • Now connect to Microsoft Online Services with the credential variable set previously
  • Connect-MsolService Credential $cred
  • Set the MSOL ADFS Context server, to the ADFS server
    • Set-MsolADFSContext –Computer domain_name.com
  • Set the domain to a non-federated domain

Set-MsolDomainAuthentication -DomainName domain_name.com –Authentication Managed

Turn (ADFS) Federation back on

When the ADFS servers are back online, you can turn Federation back on:

Go to (one of) your ADFS server and start the “Windows Azure Active Directory Module for Windows Powershell:

WAAD

  • Windows Azure Active Directory Module for Windows PowerShell
  • Right Click and Run As Administrator

    • Set the credential variable
    • $cred=Get-Credential

Enter a Global Administrator account from Office 365. Do not use a federated account to login.

O365 Login

For example: use an account like “user@domain.onmicrosoft.com” and not “user@yourdomain.com”.

o365 Login

  • Connect to Microsoft Online Services with the credential variable set previously
    • Connect-MsolService Credential $cred
  • Set the MSOL ADFS Context server, to the ADFS server
    • Set-MsolADFSContext –Computer domain_name.com
  • Convert the domain to a federated domain
    • Convert-MsolDomainToFederated –DomainName com
  • Successful Federation
    • Successfully updated ‘com‘ domain.
  • Verify federation
    • Get-MsolFederationProperty –DomainName com

Now ADFS should be up and running again.

Links:

Azure AD Connect

Active Directory Federation Services

Stefan ten Hoeve

(1) Comments

  1. Amit Kumar January 29, 2019 at 5:08 am Reply

    Good document , its working for me.

Leave a Comment

Scroll to Top