Wednesday, March 30, 2016

Setting up multiple domain federation with ADFS 2012 and Office 365

Problem

You have an on-prem Active Directory domain with ADFS 2012 configured to use Office 365 services to for messaging services and would like to expand the usage to another domain that is a different tree in the same forest. The task required to do this is quite simple and that is to change the Authentication type for the new domain from Managed to Federated which is what the currently set up domain with O365 mailboxes is configured as:

image

You attempt to execute the Update-MsolFederatedDomain cmdlet with the -supportmultipledomain switch to change the federation for the currently federated domain to support multiple federated domains but receive the following error:

PS C:\> Update-MsolFederatedDomain -domainname contoso.com

Successfully updated 'contoso.com' domain.

PS C:\> Update-MsolFederatedDomain -domainname contoso.com -supportmulti

pledomain

Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not

supported here.

At line:1 char:27

+ Update-MsolFederatedDomain <<<< -domainname contoso.com -supportmult

ipledomain

+ CategoryInfo : InvalidOperation: (:) [Update-MsolFederatedDomai

n], FederationException

+ FullyQualifiedErrorId : MultipleDomainSwitchNotSupported,Microsoft.Onlin

e.Identity.Federation.Powershell.UpdateFederatedDomainCommand

PS C:\>

image

Solution

What threw me off with this problem was that most articles I found specifies that the Microsoft Office 365 Identity Platform Relaying Party Trust needs to be removed:

image

… during this process but because the environment I was working in already had production services in use, I decided to test the -supportmultipledomain on the federated domain to ensure it actually existed and the error message:

Update-MsolFederatedDomain : The switch parameter SupportMultipleDomain is not

supported here.

… does not instill much confidence. After scheduling a weekend window for this reconfiguration, I was able to confirm that the cmdlet:

Update-MsolFederatedDomain -domainname contoso.com -supportmultipledomain

… will work once the Microsoft Office 365 Identity Platform Relaying Party Trust is removed:

image

image

image

image

So to recap, the process should be as follows:

  1. Log onto the ADFS server
  2. Launch the AD FS administration console
  3. Navigate to AD FS > Trust Relationships > Relaying Party Trusts
  4. Delete the Microsoft Office 365 Identity Platform entry
  5. Launch Windows Azure Active Directory Module for Windows PowerShell
  6. Execute the following:
    1. Connect-MSOLService
    2. Set-MsolADFSContext -Computer <internalADFSserverName>
    3. Update-MsolFederatedDomain -DomainName <alreadyFederatedDomainFQDN>
    4. Update-MsolFederatedDomain -DomainName <alreadyFederatedDomainFQDN> -SupportMultipleDomain
    5. Convert-MsolDomainToFederated -DomainName <newDomaintoBeAddedFQDN> -SupportMultipleDomain
    6. Get-MsolDomain

Hope this helps anyone who might be a bit uncertain whether the -SupportMultipleDomain switch would work or not before they delete the Relaying Party Trust.

No comments: