If you have a ADFS server for your user authentication in Office 365 / Azure AD, and you want to use Pass Through Authentication and/or password Hash Synchronization we will need to change a few things and run a few Powershell commands.
So before we can change the domain to managed, verify if your domain has password sync enabled using the AD connect wizard:
Once you’ve changed the setting, AD Connect will force a synchronization, but just to make sure run a full sync from Powershell using the following commands:
Import-module ADSync Start-ADSyncSyncCycle -PolicyType Initial
Once completed, we can start converting the domain from federated to managed. On your ADFS server, open Powershell and run the following command.
Import-Module MSOnline Connect-MSOLService
To verify the domains that you have simply run the following command:
Now the fun part starts, we are going to convert from federated to managed domain in one big bang. We will migrate from federated accounts to managed domain using on-premise passwords. Now run the following command. Change the domainname 2azure.nl to your own, and note, the txt file doesn’t need to exist.
Convert-MsoldomainToStandard -Domainname 2azure.nl -SkipUserConversion $false -PasswordFile c:\2azure.nl_userpasswords.txt
Now it gets complicated. There is no status bar indicating how far the process is, or what is actually happening here. Under the cover, the process is analyzing every account on your on-premise domain, whether or not it has actually ever been sync’d to Azure AD. If an account had actually been selected to sync to Azure AD, it is converted and assigning a random password. That is what that password file is for… Also, since we have enabled Password hash synchronization, those passwords will eventually be overwritten by passwords from your on-premise AD.
(i’ve noticed that some AD Connect have problems with the import of the adsync module. Alternativaly you can run the following command:
Import-Module –Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -Verbose