Office 365 can use either SAML2P or WS-Federation to authenticate passive profiles or web-based clients. This task details changing the federation protocol configuration of your Office 365 domain from WS-Federation to SAML2P.
Change the federation protocol from WS-Federation to SAML2P in Office 365 using PowerShell.
For troubleshooting, see the following to restore the federation protocol settings back to WS-Federation from SAML2P:
- Restore the saved settings to a variable.
PS C:\Users\Administrator> $wsfed = Import-Clixml dfs-pf-wsfed.xml
- Disable SSO from the domain.
PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -Authentication Managed
- Use
Set-MsolDomainAuthentication
to enable WS-Federation using the$wsfed
variable.PS C:\Users\Administrator> Set-MsolDomainAuthentication -DomainName Office 365 domain name -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "WSFED"