• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Office 365 – How to Revert to to Cloud Authentication | Cutting ADFS Fast

Office 365 – How to Revert to to Cloud Authentication | Cutting ADFS Fast

August 5, 2020 - by Zsolt Agoston - last edited on August 5, 2020

There might be scenarios when cutting ADFS and falling back to cloud authentication is urgently required. For example, when our on-premises ADFS authenticator servers go down - possibly due to a network outage - we want our users to be able to authenticate again. Remember, with ADFS the users are authenticated on the dedicated, on-premises authenticator servers. If those boxes are not accessible, our users won't be able to log into their mailboxes, or any other cloud services.

The quick way to do fix the login is changing authentication to "managed" type in the cloud for the affected domain(s). This will let the cloud servers know to use the pre-synced user password hashes to authenticate users, using the cloud login forms (see step 2).

1. Authentication with ADFS - Before Cut

Here is a simple example to visualize the authentication process with ADFS being set. Alice tries to authenticate from the internet. In this setup, after the cloud senses that she is using a federated domain ( @alwayshotcafe.com ) it bounces her request straight to the on-prem authenticator server: auth.alwayshotcafe.com. After successful login, the user will be allowed to use resources in the cloud.

Office 365 – How to Revert to to Cloud Authentication | Cutting ADFS Fast

2. Switch to Cloud-Managed Authentication

Our goal is to make the cloud server do the authentication process. First, we connect to MS Online from a domain server. In our example we use our domain controller (DC.alwayshotcafe.com). Detailed steps are here Then run the following instructions to disable ADFS.

PS C:\> Set-MsolADFSContext -Computer adfs.alwayshotcafe.com
PS C:\> Convert-MsolDomainToStandard -DomainName alwayshotcafe.com -SkipUserConversion:$true -PasswordFile c:\temp\passwdfile.txt
Successfully updated 'alwayshotcafe.com' domain.

# If access to the ADFS server is lost, use this command instead of the first two:
PS C:\> Set-MsolDomainAuthentication -Authentication managed -DomainName alwayshotcafe.com

3. Verify authentication

After the steps above, when Alice tries to log in next time, she will get the Office365 cloud login form instead of the on-prem ADFS landing page!

Office 365 – How to Revert to to Cloud Authentication | Cutting ADFS Fast

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. Authentication with ADFS – Before Cut
  • 2. Switch to Cloud-Managed Authentication
  • 3. Verify authentication

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}