Posted on:
Categories: SharePoint;PowerShell


You are running SharePoint 2013 with the April 2014 Cumulative Update and you need to upgrade a Web Application to Claims Authentication. Unfortunately, the Convert-SPWebApplication commandlet is broken by the April Cumulative Update. The only provided workaround is to use Move-SPUser or stsadm -o migrateuser.

More info on Trevor Swears blog

Please note that both of these commands will migrate the user across the whole farm.


In the meantime, use the following script to migrate a Web Application to Claims.

Please note that this script will migrate the user to Claims on every Web Application on the Farm. This is a limitation of the Move-SPUser commandlet.

# Name:               Convert-SPWebApplicationToClaims.ps1  
# Description:         This script will migrate a Web Application to Claims Authentication
# Usage:            Run the function with a WebApplication URL as the parameter
# Warning:         The users will me migrated on all Web Applications on the farm!!
# By:                 Ivan Josipovic,  

Function Convert-SPWebApplicationToClaims ($WebApp) {
 foreach ($Site in Get-SPSite -limit all -WebApplication $WebApp){
  foreach($user in $Site.RootWeb.SiteUsers | ? {!$_.UserLogin.StartsWith("i:0#.w|") -and !$_.UserLogin.StartsWith("c:0!.s|") -and !$_.UserLogin.StartsWith("c:0(.s|")}){  
   Write-Host $user.UserLogin
   if($user.UserLogin -eq "SHAREPOINT\system"){continue;}
    switch ($user.UserLogin.ToLower()) 
     "nt authority\all authenticated users" {Move-SPUser -Identity $user -NewAlias "c:0(.s|true" -IgnoreSID -Confirm:$false -EA 0;} 
     "nt authority\authenticated users" {Move-SPUser -Identity $user -NewAlias "c:0!.s|windows" -IgnoreSID -Confirm:$false -EA 0;} 
     default {Move-SPUser -Identity $user -NewAlias "c:0+.w|$($user.Sid.ToLower())" -IgnoreSID -Confirm:$false -EA 0;}
   } else {
    Move-SPUser -Identity $user -NewAlias "i:0#.w|$($user.UserLogin)" -IgnoreSID -Confirm:$false -EA 0;

#Convert-SPWebApplicationToClaim -WebApp