This site requires JavaScript to be enabled
External Customer KB > General > Defederating With ADFS or a Third-Party SSO
Defederating With ADFS or a Third-Party SSO
Article: KB0010419 Published: 05/27/2025 Last modified: 05/27/2025

The domain being associated with Office 365 must be managed by Office 365 before single sign-on and provisioning can be enabled for your users. Such management requires that the domain not be federated by Active Directory Federation Services (ADFS) or by another IdP service. If your domain is already federated, you must disable federation before you can enable single sign-on for Office 365. Defederation is required for single sign-on, but not for enabling user provisioning into Office 365.

Prerequisites

  • Windows PowerShell
  • Global Admin credentials for an account that is not within the federated domain
  1. Start a Windows PowerShell session.
  2. If you have not already, install the Microsoft Graph PowerShell Module:

    Install-Module Microsoft.Graph
  3. Connect to Microsoft Graph with the required scopes:

    Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All", "Organization.ReadWrite.All", "Directory.ReadWrite.All"
  4. Check the current Domain Authentication type, using the domain you wish to update where indicated:

    Get-MgDomain -DomainId your-domain.com | Select-Object Id, AuthenticationType

    The AuthenticationType should return Federated.

  5. Update the domain to Managed:

    Update-MgDomain -DomainId your-domain.com -AuthenticationType Managed
  6. Disconnect from Microsoft Graph:

    Disconnect-MgGraph


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo