Turn Off or Disable Active Directory Federation Services in Office 365

Author by Michael Epping

There are two primary reasons to turn off AD FS in Office 365.  The first is because you want to use a new AD FS farm, possibly because your standalone AD FS server is not sufficient anymore.  You cannot transfer SSO responsibilities between two different farms in Office 365; first you have to turn SSO completely off and then activate it again on the new AD FS farm.  The second option would be that you used AD FS as part of a trial, but have decided against using it permanently.  In this case you want to remove it entirely.

If SSO isn't turned on then this will say Set up instead of Manage

Are you still using 32 bit?

The 32 bit and 64 bit tools work identically.
  • Once it is installed open the module by double clicking on the desktop icon or opening it from the Start Menu/Screen.
  • Run these commands:
    • $cred = Get-Credential
    • Enter your Office 365 administrator credentials
    • Connect-MsolService –Credential $cred
    • Set-MsolAdfscontext –Computer adfscomputerfqdn.contoso.com (you can skip this step if you are running these commands from the ADFS server itself)
  • The next step is important.  If you are permanently getting rid of AD FS you will need to generate a password file since it will contain all of your users' credentials.  If that is the case run this command next:
    • Convert-MsolDomainToStandard –DomainName –PasswordFile C:pathpasswords.txt
  • If you are migrating to a new AD FS farm then you will be reactivating federation soon and don't need the passwords since AD will provide those to the new farm.  If you are simply migrating AD FS and don't need the passwords then run this command instead:
    • Convert-MsolDomainToStandard -DomainName contoso.com -SkipUserConversion

If you are migrating between two AD FS farms then I would recommend waiting to install the second farm until you have turned federation off on the original farm.  That is because there are some AD cleanup steps that should be performed after removing AD FS from an environment.  Once these cleanup steps have been performed you can feel free to install the new AD FS farm.  The steps for cleaning up AD can be found here: http://support.microsoft.com/kb/982813.

Author

Michael Epping

Systems Engineer