How To Test A Domain Has Been Successfully De/Federated

The other day, I was converting a customer’s domain hosted within Office 365 from using ADFS based authentication to using the native Azure AD based authentication. As part of the de-federation process, I wanted to check if the users have been successfully de-federated – I knew the PowerShell command for viewing if the domain had been successfully de-federated but there didn’t seem to be a documented command to make sure that the users had been de-federated.

This is where I turned to the awesome Office 365 for IT Pro’s book:

If you are using Office 365 in any fashion, you need to buy this book. It is well worth every penny in my opinion.

If you have the book, on Page 158 it has the answer (which I will copy below with a few tweaks):

  1. Firstly you need to connect to Azure AD:
  2. Once connected run the below PowerShell command:


Now I also spoke with Microsoft Office 365 support as I did encounter some issues with the de-federation and they sent me a different command to check if the users are federated. In this instance, you need to connect to the MSOL Service, but you can use the same PowerShell window:

Once connected, run the following oneliner:

Microsoft Support told me that if a user has an Immutable ID, then the user is still federated. I am still trying to confirm this, but if Microsoft Support is telling me that, then I can only assume it is true.