I was recently setting up federation between Google Workspace and Microsoft 365, using Google Workspace as the Identity Provider for Entra ID.

Somewhere in the process however something went wrong and I was stuck in a broken configuration where Federation wasn’t enabled, but users in the domain were not being authenticated against Entra.

Whilst there is a command Remove-MgDomainFederationConfiguration to then remove the configuration, it needs both the domain name (e.g. example.com.au) and the directory ID, which is a GUID. I didn’t have, and couldn’t get this ID due to the broken state.

Some other instructions I saw to disable it used the old MSOL commands which are now deprecated. I thought I was completely hosed!

Fortunately I had a break-glass account using the onmicrosoft.com domain name, so could still authenticate with PowerShell and update the domain via:

Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
Update-MgDomain -DomainId <domain name> -AuthenticationType "Managed"

Now I just need to work out why it wasn’t working in the first place.