Published: March 22, 2013
Updated: July 30, 2015
Applies To: Azure, Office 365, Windows Intune
The Convert-MsolDomainToStandard cmdlet converts the specified domain from single sign-on (also known as identity federation) to standard authentication. This process also removes the relying party trust settings in the AD FS server and online service. After the conversion, this cmdlet will convert all existing users from single sign-on to standard authentication. Any existing user who was configured for single sign-on and does not have a password set by using password hash sync will be given a new temporary password as part of the conversion process. Each converted user name and new temporary password will be recorded in a file for reference by the administrator. The administrator can then distribute the new temporary password to each converted user to enable the user to sign in to the online service.
Convert-MsolDomainToStandard -DomainName <string> -PasswordFile <string> -SkipUserConversion <Boolean> [-Confirm] [-WhatIf] [<CommonParameters>]
-DomainName <string> The domain name to convert from single sign-on (also known as identity federation) to standard authentication. Required? true Position? named Default value Accept pipeline input? false Accept wildcard characters? false -PasswordFile <string> The file where converted users' user names and temporary passwords will be recorded. Required? true Position? named Default value Accept pipeline input? false Accept wildcard characters? false -SkipUserConversion <Boolean> If set to True, users will not be converted as part of the operation. Administrators can run the cmdlet again to convert users at a later date. The password file is still required but will be empty if set to True. Required? true Position? named Default value Accept pipeline input? false Accept wildcard characters? false -Confirm [<SwitchParameter>] Prompts you for confirmation before executing the command. Required? false Position? named Default value Accept pipeline input? false Accept wildcard characters? false -WhatIf [<SwitchParameter>] Describes what would happen if you executed the command without actually executing the command. Required? false Position? named Default value Accept pipeline input? false Accept wildcard characters? false <CommonParameters> This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters".
You will require a connection to both the AD FS server and the Microsoft Online Services domain before the command can be run successfully. This following command removes the relying party trust information from the Microsoft Federation Gateway and the on-premises AD FS. In the command, contoso.com is the Microsoft Online Services domain name. The -PasswordFile parameter indicates the path of the text file that contains the newly created temporary password of each formerly-federated user’s account. The password file is created automatically and the passwords are set randomly. Open the c:\userpasswords.txt file to see the passwords that were created for each user.
Convert-MSOLDomainToStandard –DomainName contoso.com -SkipUserConversion $false -PasswordFile c:\userpasswords.txt
There are several other places you can get more information and help. These include: