Thursday, June 12, 2014

Lesson Learned: Do Not Use Move-SPUser on a SharePoint Farm With Multiple Web Application and Different Trusted Identity Provider!

Do not use Move-SPUser (and also "stsadm -o migrateuser") on a SharePoint Farm with multiple web application mapped to different identity provider.
This because this PowerShell command acts over all Content Database.

For example assume that you have a Claims Based Web Application using NTLM schema, a second web application Claims Based but using ADFS a Trusted identity provider and a third Web Application using NTLM.

If you perform a Move-SPUser for a NTLM user to ADFS IDP this will impact all webapplication, even if SPUser parameter you pass to the command was build using a specific web application / site collection.

If you want to migrate from NTLM to a different identity provider only a webapplication, what I suggest you is to detach temporary all content databse you don't want to migrate.
Perform Move-SPUser and then reattach all detached content db.

Remember to check Policy for Web Application after user migration.

No comments: