0
votes

We have Single Sign-on working for a test application in Azure, using Azure Active Directory and the on-premise server running DirSync to synchronise the user details.

I have added a Custom Domain and verified it, by adding TXT records to the DNS entries at my registrar's website. In order to do this, I followed advice (from stackoverflow questions) that I needed to untick the option that said "I plan to configure this domain for single sign-on with my local Active Directory", in order to gain access to the additional information that allows me to prove ownership of the domain.

As a result, the domain has been verified and Azure recognises this, allowing me to see the domain as being 'verified', but the Single Sign-On value for this custom domain is set to 'Not Planned'.

The problem is now, I want to be able to re-tick that check box, and enable this domain to be used with the single sign-on, as I don't want to have to tell my users to use their log-in email addresses as 'username@something.onmicrosoft.com' as they'll never get it and will pester me to change it.

So, my question is: Is there a way to re-tick this box, and change the status of this field away from that of 'Not Planned', and (hopefully) to allow my users to sign in using their [email protected] instead?

I have tried to remove the domain and re-add it, but Azure stops me from deleting it, as it's probably already well utilised in the rest of the processes. Also, I have no ability (or at least that's how it seems!) to go back into this custom domain within Azure and modify it.

UPDATE: I have tried to Deactivate the Directory Integration directory sync - this allows me to adjust the sync'd user's email addresses, but they're reverted back to .onmicrosoft.com once the sync is Activated again.

UPDATE 2: I have tried to install PowerShell to remotely administer the custom domain to becoming active, but I just cannot connect, despite several hours of trying.

1
Just to be clear, you want users to authenticate with your on-premises AD (via on-premises AD FS), right?Philippe Signoret
What I was thinking was, online users would authenticate against the Azure AD, which is sync'd from the on-premise server using DirSync. And then the on-site users would authenticate automatically using the on-premise AD server, but without needing to actually sign into the website like the external users do, as they'd be authenticated during log-on... Am I on the right track with that?!Brett Rigby

1 Answers

4
votes

If you added (and verified) a domain without ticking the checkbox, your domain is considered "standard", or "managed". You can convert this domain to a "federated" domain with the Convert-MsolDomainToFederated cmdlet from the Azure Active Directory PowerShell module:

Convert-MsolDomainToFederated -DomainName "contoso.com"

Tip for next time: After you add the domain with the single sign-on tick, you can run the following to get the DNS records to verify the domain:

Get-MsolDomainVerificationDns -DomainName "contoso.com"