So we decided we wanted to try using single sign-on/federated services with Office 365. We'd already been using password sync for sometime which seemed to be working pretty well with a filtered test group.
We uninstalled Azure AD connect which was configured for just password sync. Then using a new install of Azure AD Connect we went through all the steps, including selecting our test group. Wizard completed successfully and with the test group accounts we were able to sign-in and single sign on worked. The scheduled sync task on the server was running, however the portal reported that it was not syncing. We had no idea why, so working in IT I thought switch it off and switch it on again! So disabled sync from the portal, message came up about it taking 72 hours, etc, ok.
Over the next few hours users Outlooks/phones started signing out and prompting for password, current passwords were not being accepted. Users in the sync group could still sign-in to OWA, which correctly forwarded to the FS sign-in page. However users who were not in the test group were also being forwarded to the FS page, but their details were not being accepted.
In the end we had to convert the domain back to standard authentication using powershell and completely abort the federated services test.
So now what I'm trying to understand is what went wrong? My conclusions so far,
-When Azure AD Connect converts a domain from Managed to Federated, all users on that domain have to sign-in with federated services, regardless of a filtered group.
-The filtered group is only really there for password sync
-Maybe deactivating the sync stopped users Outlooks/Phones from signing in and started the trouble?
So am I correct? Is it possible to test federated services on a live domain with only a selected test group? Would just appreciate some thoughts and advice before we make the next attempt.
So