Code
The following cmdlets provide a way to enable or disable ADFS on an Azure AD tenant.
Note that these snippets depends on the MSOnline PowerShell module.
Getting current state
To get the current state of your configuration run the cmdlet below.
Connect-MsolService
Get-MsolDomain
Example Output
Name Status Authentication
---- ------ --------------
identity-powershell.com Verified Managed
chrisdymond.onmicrosoft.com Verified Managed
chrisdymond.mail.onmicrosoft.com Verified Managed
A managed domain is authenticated directly against Azure AD.
Enabling Federation
To enable AD FS federation for your custom domain, open a session on your AD FS server and run the following cmdlets. This will change the ‘Managed’ authentication to ‘Federated’, at which time users signing into your tenant will start to see the AD FS log in screen.
Convert-MsolDomainToFederated -DomainName identity-powershell.com -SupportMultipleDomain
Get-MsolDomain
Example Output
Successfully updated 'identity-powershell.com' domain.
Name Status Authentication
---- ------ --------------
identity-powershell.com Verified Federated
chrisdymond.onmicrosoft.com Verified Managed
chrisdymond.mail.onmicrosoft.com Verified Managed
Removing Federation
To switch the domain back to being ‘Managed’ simply run the cmdlet below.
Note that using this cmdlet will not remove the trust settings from AD FS itself. It will, however, tell Azure AD to utilise the synchronised password hashes (where available) removing federation.
This is a useful cmdlet for temporarily switching your users to Azure AD authentication or for disabling AD FS integration under a tenant migration scenario.
Set-MsolDomainAuthentication -DomainName identity-powershell.com -Authentication Managed
Example Output
Successfully updated 'identity-powershell.com' domain.
Name Status Authentication
---- ------ --------------
identity-powershell.com Verified Managed
chrisdymond.onmicrosoft.com Verified Managed
chrisdymond.mail.onmicrosoft.com Verified Managed