The domain being associated with Office 365 must be managed by Office 365 before single sign-on and provisioning can be enabled for your users. Such management requires that the domain not be federated by Active Directory Federation Services (ADFS) or by another IdP service. If your domain is already federated, you must disable federation before you can enable single sign-on for Office 365. Defederation is required for single sign-on, but not for enabling user provisioning into Office 365.
Disabling federation for a domain requires that you run a series of cmdlets in Windows PowerShell. For more information about PowerShell, see http://technet.microsoft.com/en-us/library/ff950685.aspx.
If the domain is federated with ADFS:
- Start a Windows PowerShell session.
- Import the MSOnline module:
Import-Module MSOnline
-
Connect to the online service:
Connect-MsolService
Enter the Global Administrator credentials for an account that is not within the federated domain.
- Verify which domain is currently set to Federated:
Get-MsolDomain
- Set your credentials to connect to Office 365 and the ADFS server:
Set-MsolADFSContext -Computer your_ADFS_server_computer_name
- Convert the federated domain to a standard domain:
Convert-MsolDomainToStandard -DomainName yourdomain.com -SkipUserConversion:$true -PasswordFile C:\userpasswords.txt
The path for the password file can be any valid path.
- Set the domain's authentication to be managed by Office 365:
Set-MsolDomainAuthentication -Authentication Managed -DomainName yourdomain.com
If the domain is federated with another IdP:
- Start a Windows PowerShell session.
- Import the MSOnline module:
Import-Module MSOnline
-
Connect to the online service:
Connect-MsolService
Enter the Global Administrator credentials for an account that is not within the federated domain
- Verify which domain is currently set to Federated:
Get-MsolDomain
- Set the domain's authentication to be managed by Office 365:
Set-MsolDomainAuthentication -Authentication Managed -DomainName yourdomain.com
|