Today, I would like to talk a little bit about what happens while ADFS is down, how can we allow to users to access to Office 365 resources, how should we act?
Before I am presenting you the Powershell commands we should run in this scenario I would make sure all of you understand what is Office 365 SSO with ADFS, A couple of months ago I made a good article about how can we configure AD Azure join in for SSO to Office 365, Whether you read it or not I put URL for you:
Use in Azure AD join provides us SSO to Office 365 resources without ADFS or any complicated configuration, it’s pretty easy for set it up,
However, there are several limitations that I have mentioned in my article. the main limit is that SSO doesn’t work via Google Chrome, which is the most common browser nowadays.
and the policy control is not good enough and not satisfied for some organizations,
Therefore government organizations and security companies prefer to use in ADFS service which provides us more flexibility to manage our SSO and set restrictions.
So I have set up Office 365 with AD Connect and configured SSO with ADFS, I haven’t established a FARM on purpose, I want to demonstrate you crisis scenario which could happen anytime 🙂 Once ADFS is down users can’t access to Office 365 resources, what we have to in this scenario?
1 ) Open “Microsoft Azure Active Directory Module for Windows PowerShell”
2) Connect-MsolService – Enter Global Administrator Credential
3) Run get-MsolDomain and you will find that your domain is federated:
4) Convert-MsolDomainToStandard -DomainName Pelegit.co.il -PasswordFile C:\1.TXT -SkipUserConversio
n $true (The file won’t created):
5) Set-MsolDomainAuthentication -DomainName Pelegit.co.il -Authentication Managed
And at this point users are able to perform login successfully to Office 365 with their on-premise permission
Once ADFS Service has been repaired you can run the following command and the SSO will work again:
1 ) Open Windows Azure Active Directory PowerShell
2) Run Connect-MsolService
3) Convert-MsolDomainToFederated -DomainName Pelegit.co.il
4) Set-MsolDomainAuthentication -DomainName pelegit.co.il -Authentication Federated