Enabling Office 365 Federated SSO while preventing catastrophe

Whenever you want to enable federated SSO with Office 365 for your on-premises domain users, there is a long list of prerequisites. However, once you’ve checked everything and are you’re ready to run the “Convert-MSOLDomain” cmdlet you need to take a minute to do a final check. The implication of federated SSO is that ALL your users with a User Principal Name (UPN) of the federated-to-be domain will perform authentication to your own AD FS farm in order to enable (federated) single sign-on. Let me explain:

Imagine a UPN of office365man.com. To successfully enable federated SSO on this domain, all applicable users are required to have a UPN suffix of @office365man.com and to be in-sync with their online user equivalent in Azure AD. Once the Office 365 domain is converted to federated, a users logs in to the Office 365 (or Azure) portal and once the portal notices a federated domain, it will redirect ALL authorization requests to your on-premises AD FS farm. So, all is good IF:
  • All users have the office365man.com UPN suffix;
  • All users are in-sync with their Azure AD equivalent.

Active Directory OU’s are usually separated based on department. If you’ve forgotten to include such an OU, the end result is that those users will not be represented in Azure AD as a ‘synced from AD’ user. As a result, these users will not be able to authenticate to (and obviously work in) your tenant in any way!

Please note: The PowerShell cmdlet ‘convert-msoldomain’ used to be effective instantly, but lately this takes up to 30-40 minutes.
When not all users are present as in-sync user in Azure AD, these users will be unable to login and unable to use any of the tenant services. You want to prevent this at all costs! So how can we make sure of this? The answer: Run a PowerShell script that enumerates all ‘FederatedDomain-To-Be suffix users’ that aren’t in-sync with Azure AD. It sounds harder than it actually is:
get-msoluser | Where-Object {$_.lastdirsynctime -eq $null -and $_.userprincipalname -like “*<FederatedDomainToBe>*”}

This cmdlet will give you a list of users where the lastdirsynctime is null (meaning: user has never been synced) and the UPN is configured to the UPN that is to be converted to federated domain in Office 365. These users are not in-sync (meaning: created as in-cloud users and don’t have a match on-premises due to the AD Connect Sync selection.

Use this list to prevent any impending catastrophe.

A final piece of advice:

  1. You should never ever create global administrators with a federated SSO UPN (in case of Hybrid ID platform malfunction you won’t be able to access your tenant);
  2. You cannot federate the default domain: <tenantName>.onmicrosoft.com so having that UPN suffix for users is always safe;
  3. Advice #2 may result in the use of less than ideal UPN suffixes (and long usernames in general), you may want to buy an additional domain name (such as: office365admin.com) to use for administrative, user friendly user names.
Leave a reply

Your email address will not be published. Required fields are marked *