none
Switch AZure AD Connect from Password Sync to ADFS 3.0

    Question

  • HI we currently have a single OFF 365 domain and a single on prem AD domain

    we are using Azure AD connect to sync our users password to OFF365

    Azure AD connect is currently installed on a Windows 2012 R2 DC.

    I like implement an ADFS service and switch the passoword sync to ADFS

    After setting up the ADFS environment. Can i just re run the Azure AD connect wizard and select the "Change User Sign in" option and reconfigure it to the ADFS environment.

    or do i need to reinstall Azure AD Connect?

    if I uninstall and reinstall azure ad connect, what will the impact be on my users while I am setting up Azure AD connect to the ADFS environment.

    thanks

    Tuesday, April 4, 2017 6:19 PM

All replies

  • You can use the "change user sign in" option or simply do it by running the Convert-MsolDomain cmdlet on AD FS side.
    Wednesday, April 5, 2017 9:04 AM
  • thank you for the quick response. I have 2 more quick questions

    currently the Azure AD connect is installed on a Domain Controller. I like to move it off there and install it on the ADFS server.

    if I uninstall the Azure ad connect. will it cause any issues with the password synch process

    or 

    can i install another instance of Azure ad connect on the ADFS server, configure it and then uninstall the installation on the DC

    thanks

    Wednesday, April 5, 2017 11:49 AM
  • The only issue is that new user accounts/password and changes to existing ones will not be synced until you have the new instance up and running. You can use the "staging" option: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-operations
    Thursday, April 6, 2017 12:26 AM
  • I also want to remove Azure Ad connect form my Domain controller and install it on the same server as the ADFS server.

    Can I just uninstall from the DC and rerun the install on the New Server?  Im guess the same issue will still be that:

    "The only issue is that new user accounts/password and changes to existing ones will not be synced until you have the new instance up and running. You can use the "staging" option:"

    thanks

    Dave

    Monday, April 10, 2017 5:34 PM
  • Yes, you can. If you have made any changed to the configuration, use the export options. Or you can just use the steps in the above article to install the second server in staging mode on the AD FS server, remove AADConnect from the DC and switch the AD FS one to "normal" mode.
    Monday, April 10, 2017 7:08 PM