Thoughts on Microsoft 365 and Domain Federation

This week I was working with a customer that converted a domain from federated authentication to managed authentication for the purposes of testing the transition. This is not an uncommon occurrence, as many customers that utilized federated authentication often combine it with Password Hash Synchronization to provide a measure of redundancy for authentication in the event that their federated authentication provider is no longer available.

At the time that I was engaged the customer was raising an escalation on how to convert the domain back to federated authentication. To convert the domain to managed authentication the customer utilized Update-MGDomain -domainID “Domain” -authenticationType “Managed”. This is an appropriate method to convert the domain from federated to managed authentication. The customer was attempting to use Update-MGDomain -domainID “Domain” -authenticationType “Federated” and received the following error

update-MGDomain -DomainId "domain.net" -AuthenticationType "Federated"

update-MGDomain : Changing authenticationType from Managed to Federated is currently not supported.
Status: 400 (BadRequest)

The documentation for Update-MGDomain does list “Federated” as an authentication type.

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomain?view=graph-powershell-1.0

Technically this is correct, the command does evaluate and return an authentication type of Federated but cannot be utilized on its own to convert a domain from managed to federated authentication. Federating a domain requires information and attributes beyond what Update-MGDomain accepts.

This leads to a conversation regarding the “supported” method to federate a domain with Microsoft 365. Our response was to utilize Entra Connect and the integration with ADFS. There is not though a specific document that says this is the “supported” method. If there’s no documentation how do we come to conclusion this is the “supported” method.

Prior to the integration of ADFS with Entra Connect customers had access to a command convert-MSOLDomainToFederated. This command was designed to be run on ADFS and not only converted the domain to federation in EntraID by stamping the appropriate federation attributes but also created a generic federation trust within ADFS. In many cases the generic federation trust that was created did not reflect the same settings that customers utilized for synchronization, such as sourceAnchor, UPN, device registration etc. In the most simplest scenarios, it worked fine but more advanced scenarios it did not support.

The Convert-MSOLDomainToFederated has since been deprecated and has no equivalent graph replacement. This leaves Entra Connect an attractive alternative to federating a domain. Using Entra Connect has several benefits over other options. When using Entra Connect the ADFS farm is registered with the installation. As changes to configurations occur Entra Connect will automatically update the properties of the federation trust. It automates the addition of ADFS and WAP servers to existing farms and supports full certificate management capabilities. One of the drawbacks is that converting a domain to federated from managed authentication is a per domain process. It works well for single domains but not necessarily for 100s of domains.

Microsoft Graph supports the ability to convert a domain to federated authentication through the new-MGDomainFederationConfiguration command.

https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-1.0

As long as the administrator is aware of the appropriate values this command can be utilized to convert the domain. This also assumes that the federation trust that exists in ADFS has been created in a manner that fully supports Microsoft 365.

What is the recommendation if we have to convert to managed authentication in an emergency?

If the ADFS environment, Active Directory, or network infrastructure becomes compromised many customers rely on the conversion to managed authentication to restore access to their cloud services. When password hash synchronization has been enabled this is an easy and quick transition. When the recovery actions have been completed, I recommend utilizing the Entra Connect installation to re-federate a minimum of two domains. This ensures that the federation settings within Microsoft 365 have accurate values and the federation trust in ADFS is created in a manner supporting Microsoft 365. For additional domains Microsoft graph can be utilized to pull the federation settings from the converted domains and other domains federated with New-MGDomainFederationConfiguration.

Leave a comment