At Microsoft, we are committed to ensuring the highest standards of security and privacy for our customers. As part of this commitment, we are making a significant update to the Get-FederationInformation cmdlet in Microsoft Exchange Online. This change is designed to enhance the security of tenant information by limiting the exposure of domain names to unauthorized users. In this blog post, we will explain the nature of the change, the reasons behind it, and how it might affect your operations.
Current behavior
Currently, the Get-FederationInformation cmdlet allows any user to retrieve federation information for a specified domain without requiring authentication. This includes details such as ‘DomainNames’, which returns a list of all accepted domains for the target tenant.
For example, running the following command:
Get-FederationInformation -DomainName contoso.com
Returns:
TargetApplicationUri : outlook.com
DomainNames : { contoso.com, contoso.net, mail.contoso.com, …}
TargetAutodiscoverEpr : https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
TokenIssuerUris : {urn:federation:MicrosoftOnline}
IsValid : True
ObjectState : Unchanged
As you can see, this exposes all of the target tenant's federated domain names, and should not be shared without explicit consent.
Upcoming change
To address this concern, we are updating the Get-FederationInformation cmdlet. Going forward, the “DomainNames” field will no longer return all federated domain information. Instead, it will only include the domain information that is passed as the parameter.
For example, after the update, running the same command:
Get-FederationInformation -DomainName contoso.com
Will return:
TargetApplicationUri : outlook.com
DomainNames : { contoso.com }
TargetAutodiscoverEpr : https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
TokenIssuerUris : {urn:federation:MicrosoftOnline}
IsValid : True
ObjectState : Unchanged
This change enhances the security and privacy of tenant information.
Customer impact
We understand that this change may impact some of your current workflows, especially if you rely on the Get-FederationInformation cmdlet to retrieve a list of all federated domain names for a target tenant. Once we make this change, starting mid-June, if you need this information, you will need to work directly with the target tenant administrators.
Tenant administrators can use the Get-FederatedOrganizationIdentifier cmdlet to retrieve the list of federated domains and share it with other tenants if they wish to establish cross-tenant relationships for purposes such as calendar free/busy sharing.
Tips for creating organization relationships
When creating an organization relationship with a tenant hosted in Microsoft 365, it’s recommended to include <tenant>.mail.onmicrosoft.com in the DomainNames list. For example, to create an organization relationship with tenants hosted in the Microsoft 365 multi-tenant endpoint:
New-OrganizationRelationship -Name "Office 365 Contoso" -Enabled $true -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails -TargetApplicationUri outlook.com -TargetAutodiscoverEpr https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity -DomainNames contoso.onmicrosoft.com, contoso.mail.onmicrosoft.com, contoso.com
Next steps
We recommend that you review your current use of the Get-FederationInformation cmdlet and make any necessary adjustments to your workflows. If you have any questions or need further assistance, please let us know!
We appreciate your understanding and cooperation as we implement this change. Thank you for your continued trust in Microsoft Exchange Online.
The Exchange Team