Solve account issues trying to federate with Azure AD
Federate to Azure AD using the right account.
April 9, 2016
Q. I'm receiving an error converting an Azure AD instance to federated related to the account being in the domain, what can I do?
A. I had an Azure AD instance that I wanted to switch over to federated authentication instead of standard however when trying to perform the conversion I received the error below:
PS C:Usersjohn.SAVILLTECH> Convert-MsolDomainToFederated –DomainName 'savilltech.net'Convert-MsolDomainToFederated : You cannot convert the specified domain to use identity federation because the account you are currently signed in with is a member of the domain savilltech.net. Please sign in to the service using an account that is a member of the company administrators role and is not part of the domain savilltech.net, and then try again.At line:1 char:1+ Convert-MsolDomainToFederated –DomainName 'savilltech.net'+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : InvalidOperation: (:) [Convert-MsolDomainToFederated], FederationException+ FullyQualifiedErrorId : CannotConvertDomainToFederatedAsADomainUser,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated
The problem was that I was using an account that was a global admin role but was actually part of the Azure AD custom domain name, i.e. savilltech.net. The solution is to use an account that is part of the tenant but has the onmicrosoft.com extension, e.g. savilltech.onmicrosoft.com. This account also must be a global admin and then the conversion will work.
Each week, John Savill answers all of your toughest tech questions about the worlds of Windows Server, Azure, and beyond. Read his past IT advice here, and email your questions to [email protected].
About the Author
You May Also Like