Change claims provider from ADFS to Windows/NTLM


  • I am trying to come up with a procedure for changing a Web Application that is in my SharePoint 2013 farm from using a custom identity provider (ADFS) back to Windows/NTLM claims. This Web Application was originally setup with ADFS, but now the need for ADFS is no longer necessary and we want to go back to Windows so we can do a hybrid configuration as part of an upgrade to SharePoint 2016. I know how to change the setting in Central Administration, but what I really need to figure out is how to migrate the users and groups that already have permissions from the ADFS claims provider to Windows claims.

    Right now all of the permissions for users up as "i:05.t|adfs collaborate|" and we need to turn them into "i:0#.w|contoso\username". Groups looks to be a bit more complicated as it is converting a role, "c:0-.t|adfs collaborate|groupName", into a group that has the SID in the name, "c:0+.w|s-1-5-21-6546546-789556058-682001110-8444."

    I came across this script, but it is for changing one custom claims provider to another. Will this work for changing to the Windows claim provider?

    Is it as simple as running this command for each user?

    Move-SPUser -IgnoreSID -Confirm:$false -Identity "i:05.t|adfs collaborate|" -NewAlias "i:0#.w|contoso\username"

    What would I need to do for groups? Look up the SID in AD and perform a similar migration?

    $farm.MigrateGroup("c:0-.t|adfs collaborate|groupName","c:0+.w|s-1-5-21-6546546-789556058-682001110-8444")

    Has anyone attempted this before and run into any issues?


    Thursday, March 23, 2017 3:19 PM

All replies

  • Hi bshamster1,

    I am currently looking into the issue and will give an update as soon as possible.

    Best Regards,

    Lisa Chen

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, March 24, 2017 11:06 AM