Problem
You have an on-prem Active Directory domain with ADFS 2012 configured to use Office 365 services to for messaging services and would like to expand the usage to another domain that is a different tree in the same forest. The task required to do this is quite simple and that is to change the Authentication type for the new domain from Managed to Federated which is what the currently set up domain with O365 mailboxes is configured as:
You attempt to execute the Update-MsolFederatedDomain cmdlet with the -supportmultipledomain switch to change the federation for the currently federated domain to support multiple federated domains but receive the following error:
PS C:\> Update-MsolFederatedDomain -domainname contoso.com
Successfully updated 'contoso.com' domain.
PS C:\> Update-MsolFederatedDomain -domainname contoso.com -supportmulti
pledomain
Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not
supported here.
At line:1 char:27
+ Update-MsolFederatedDomain <<<< -domainname contoso.com -supportmult
ipledomain
+ CategoryInfo : InvalidOperation: (:) [Update-MsolFederatedDomai
n], FederationException
+ FullyQualifiedErrorId : MultipleDomainSwitchNotSupported,Microsoft.Onlin
e.Identity.Federation.Powershell.UpdateFederatedDomainCommand
PS C:\>
Solution
What threw me off with this problem was that most articles I found specifies that the Microsoft Office 365 Identity Platform Relaying Party Trust needs to be removed:
… during this process but because the environment I was working in already had production services in use, I decided to test the -supportmultipledomain on the federated domain to ensure it actually existed and the error message:
Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not
supported here.
… does not instill much confidence. After scheduling a weekend window for this reconfiguration, I was able to confirm that the cmdlet:
Update-MsolFederatedDomain -domainname contoso.com -supportmultipledomain
… will work once the Microsoft Office 365 Identity Platform Relaying Party Trust is removed:
So to recap, the process should be as follows:
- Log onto the ADFS server
- Launch the AD FS administration console
- Navigate to AD FS > Trust Relationships > Relaying Party Trusts
- Delete the Microsoft Office 365 Identity Platform entry
- Launch Windows Azure Active Directory Module for Windows PowerShell
- Execute the following:
- Connect-MSOLService
- Set-MsolADFSContext -Computer <internalADFSserverName>
- Update-MsolFederatedDomain -DomainName <alreadyFederatedDomainFQDN>
- Update-MsolFederatedDomain -DomainName <alreadyFederatedDomainFQDN> -SupportMultipleDomain
- Convert-MsolDomainToFederated -DomainName <newDomaintoBeAddedFQDN> -SupportMultipleDomain
- Get-MsolDomain
Hope this helps anyone who might be a bit uncertain whether the -SupportMultipleDomain switch would work or not before they delete the Relaying Party Trust.
5 comments:
Excellent!! Thanks for the insights!
Is step 3 really required?
step 3 will recreate the same condition before (recreate the RP with single domain)
you need to skip it at all
thanks for the article...
Thanks! It helped me.
Post a Comment