Target
- Customers federating Microsoft 365 with HENNGE Access Control
Purpose
- To disconnect the federation between HENNGE Access Control and Microsoft 365, so that HENNGE Access Control does not intervene in the login to Microsoft 365.
- If user synchronization is being performed between HENNGE Access Control and Microsoft 365, delete the settings to prevent synchronization.
Notes
- The content of this article is based on the product specifications as of March 2025 and may change without notice thereafter.
- It takes time to disconnect the federation after executing the command.
※ The estimated time for disconnecting the federation is about 30 minutes to 1 hour. - Please perform a password reset for Microsoft 365 after disconnecting the federation.
※ This is not necessary if you are synchronizing passwords between Active Directory and Microsoft 365 using Microsoft's synchronization tool. - After disconnecting the federation, please log in to Microsoft 365 from https://login.microsoftonline.com/.
- Please uninstall the HENNGE Secure Browser app and HENNGE Device Certificate from each user's device.
※ Even if they remain, they will not affect the device, but they cannot be used continuously. - The Microsoft Graph PowerShell SDK module must be installed in PowerShell.
Please ensure the following content is completed in advance.
Installing the Microsoft Graph PowerShell SDK - Global administrator privileges for both Microsoft 365 and HENNGE Access Control are required to disconnect periodic sync and federation.
Procedure
Disconnecting Single Sign-On
1. Connect to Microsoft Graph
Start PowerShell on your work PC and execute the following command.
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop
A login dialog will appear, so please continue the login process with an account that has global administrator privileges for Microsoft 365.
2. Confirm domain information
Execute the following command to confirm the domain information.
Get-MgDomain
Please confirm that the "AuthenticationType" of the displayed domain is "Federated".
3. Disconnect Single Sign-On settings
You can disconnect the settings by executing the following command.
※ Immediately after disconnection, it may take time for the settings to be reflected internally in Microsoft 365, so it may operate as Single Sign-On. Please check after some time.
Update-MgDomain -DomainId [Your Domain] -AuthenticationType “Managed”
4. Confirm domain information
Execute the following command to confirm the domain information.
Get-MgDomain
Please confirm that the "AuthenticationType" of the domain disconnected in step 3 is "Managed".
5. Disconnect from Microsoft Graph
Execute the following command to disconnect from Microsoft Graph.
Disconnect-MgGraph
Deleting Sync Service
If periodic sync is being performed between HENNGE Access Control and Microsoft 365
1. Stop the periodic sync between HENNGE Access Control and Microsoft 365.
For details, please refer to the following article.
Procedure to Stop Periodic Sync with Access Control Microsoft 365
If syncing is being performed between Active Directory and HENNGE Access Control
Perform the following steps on the Windows server where the HDE One Sync Service is installed.
1. Uninstall HDE One Directory Sync
From [Control Panel] > [Programs and Features] summary, uninstall the following program
HDE One Directory Sync x.x.x
2. Delete HDE One Directory Sync related files
Manually delete all files in the "C:\Program Files\HDE One Directory Sync" folder and the files directly under that folder.
3. Delete files under the HDEOne folder
If the "C:\HDEOne" folder exists, manually delete that folder and all files directly under that folder.
Microsoft 365 Password Reset
The method for bulk password reset in Microsoft 365 is shown below.
※ This task is not necessary if you are synchronizing passwords between Active Directory and Microsoft 365.
※ Each command must be executed in a single line.
1. Create a "temp" folder directly under the C drive
Create a "temp" folder directly under the C drive on your work PC.
2. Log in with Microsoft Graph PowerShell
Execute the following command in PowerShell.
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop
※ A login dialog will appear, so please continue the login process with an account that has Microsoft 365 global administrator privileges.
3. Retrieve the list of users
Execute the following command to output the list of users.
※ Outputs users whose User Principal Name is not "*.onmicrosoft.com".
Get-MgUser -All | where { -not ($_.userprincipalname-like"*.onmicrosoft.com")} | select UserPrincipalName | Export-Csv c:\temp\volunteers.csv -NoTypeInformation
4. Manually delete account information such as meeting rooms from the CSV list of users
Manually delete account information such as meeting rooms that are not subject to password changes from the user list (volunteers.csv) in the "c:\temp" folder.
5. Bulk password change
Execute the following commands one line at a time to change passwords in bulk.
$params = @{
PasswordProfile = @{
ForceChangePasswordNextSignIn = $True
Password = "XXXXXXXX"
}
}
Import-Csv c:\temp\volunteers.csv | where{Get-MgUser -UserID $_.UserPrincipalName; Update-MgUser -UserID $_.UserPrincipalName -BodyParameter $params }
※ Each user will need to change their password after logging in to Microsoft 365.
※ All users will have the same password.
Change the "XXXXXXXX" in the above command to the initial login password string.
▼ Password setting requirements
Azure AD Password Policy
※ Depending on various client applications such as Outlook, the authentication dialog may not appear immediately due to the authentication cache retention specifications of Microsoft 365.
6. Disconnect from Microsoft Graph
Execute the following command to disconnect from Microsoft Graph.
Disconnect-MgGraph
※ With the [Connect-MgGraph] command, the previously authenticated credentials are retained, so you will not be prompted to sign in the next time you start. Therefore, it is necessary to execute [Disconnect-MgGraph] to ensure sign-in is disconnected.
Other SSO Service Disconnection
If there are services (other than Microsoft 365) that are single sign-on (SSO) with HENNGE Access Control, please perform the SSO disconnection work.
Check the "Connected Services" in the HENNGE Access Control Administration.
Also, the SSO disconnection work needs to be performed at the connected service provider (SP). Please check with each SP's support desk for detailed disconnection methods.
The settings are complete.
Please contact HENNGE One Technical Support once the work is completed.