Attempting to Convert Office 365 Domain to Federated May Result In: Microsoft.Online.Administration.Automation.IdentityInternalServiceException

Posted on

Problem

When an Office 365 administrator attempts to convert their Office 365 “Managed” Domain, with user credentials stored in the cloud, to Federated, where authentication and credentials are stored in an on-premises Active Directory, you may run into the following error:

Convert-MSOLDomainToFederated : Microsoft.Online.Administration.Automation.IdentityInternalServiceException

At line:1 char:30

+ Convert-MSOLDomainToFederated <<<<

+ CategoryInfo : notSpecified: (:) [Convert-MSOLDomainToFederated]

, FederationException

+ FullyQualifiedErrorId: Microsoft.Online.Administration.Automatition.IdentityInternetServiceException, Microsoft.Online.Identity.Federation.PowerShell.ConvertDomainToFederated

 

Possible Reason

Administrators may have modified the PasswordExpirationPolicy, which defines how long online user passwords can exist before being forced to change the password.  However, the maximum setting for this is 720 and if this setting is > 720, you will hit this error!

Resolution

  1. Change the Online Tenant’s PasswordExpirationPolicy to something less than 720, using the following PowerShell command(s)
    1. Install and Connect to Office 365 via Windows PowerShell for Online Services:  http://technet.microsoft.com/en-us/library/jj151814.aspx
      1. Login using an online tenant Global Administrator
  2. Run the following PowerShell Command
    1. C:\PS>Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14 -DomainName contoso.com
      1. Note – This command updates the policy on the domain contoso.com so that users passwords will expire after 60 days and that the users will receive notification of 14 days prior to expiration.
  3. Once the PasswordExpirationPolicy has been updated, wait ~20 minutes, then attempt to convert the Managed Domain to Federated, using the following:
    1. Convert-MsolDomainToFederated -DomainName contoso.com -SupportMultipleDomain
      1. Note – Only use -SupportMultipleDomain IF you need to support separate/different/distinct UPN namespaces, such as contoso.com & fabrikam.com. You will need to run the above command twice, each time for the different domain namespace with the -SupportMultipleDomain parameter.

 

SUCCESS!!!!

Whatcha thinkin?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s