Saturday, April 23, 2016

Password Sync as a Temporary Fall-Back from Federated authentication in Office 365

Authentication is a fundamental part of Office 365. Office 365 and ADFS hybrid deployment scenario with High-Availability (especially with Geo redundancy properties) requires significant deployment effort, resources and etc. In most cases this is not a problem for a large Office 365 customers who have few data-centers, resources to deploy Azure IaaS and ADFS farm there.

Scenario:
The role of ADFS farm is critical in a single site deployment for Small to Middle sized Office 365 customers.
You may have multiple reasons why ADFS farm can be disconnected from Office 365:
- on-premises data-center Internet connection is down
- internal server maintenance that had impact on ADFS servers
- internal network maintenance that had impact on ADFS servers
- expired digital certificate
- etc...

If you cannot pass through federated authentication in services like Exchange Online, Skype for Business Online (which can have PSTN Calling functions enabled with E5) and etc. then you cannot do your business as well.

Solution:
With such ADFS downtime scenarios one of the options to recover authentication is to switch temporarily from Federated to Synchronized Password Authentication. You should implement "Password synchronization" with AAD Connect sync prior you have outage to the AD FS infrastructure. It has no impact on existing Federated authentication.

Temporarily “Switch” from Federated Authentication to Synchronized Password is not automatic option and requires manual configuration. Federated authentication can be changed to synchronized password authentication on a per-domain basis in the event of an outage to the AD FS infrastructure.
  • Run the Windows Azure Active Directory Module for Windows PowerShell as an Administrator 
  • Run the following commands from the primary AD FS server:
$Cred = Get-Credential

Connect-MsolService –Credential $Cred
Convert-MsolDomainToStandard –DomainName <federated domain name> -SkipUserConversion $true -PasswordFile C:\Temp\passwordfile.txt

# Once the outage is over use the following command to convert the domain back to federated:
Convert-MsolDomainToFederated –DomainName <federated domain name> -SupportMultipleDomains

It is recommended that you do not change UserPrincipalNames or ImmutableIds after converting your domain to the managed state for users that have been switched to use synchronized passwords.

It is worth noting that switching between Federated Authentication and Synchronized Password Authentication for sign in to Office 365 is not instant and will likely interrupt service access. This may not be a factor in the initial activation (as it’s likely an outage scenario) however it is something to bear in mind when cutting services back to Federated Authentication.