Forum Discussion

microtech's avatar
microtech
Copper Contributor
Feb 24, 2026

Federating Two Domains to Single Google Workspace Org — IssuerUri Conflict

Problem:

I'm federating two custom domains (domainA.com and domainB.com) in the same Entra tenant to Google Workspace as the IdP using New-MgDomainFederationConfiguration. Cloud-only tenant, no on-premises AD.

domainA.com works perfectly. When attempting to federate domainB.com, I get:

409 Conflict — Request_MultipleObjectsWithSameKeyValue

Root cause: Both domains are in the same Google Workspace org. Google always sends the same IssuerUri in every SAML response regardless of which SAML app is used. Entra's global IssuerUri uniqueness constraint blocks the second domain.

Workarounds attempted:

  • Modified IssuerUri with unique query parameter — Google's SAML assertion still contains the original IssuerUri, Entra silently rejects it
  • Second Google SAML app — Google sends identical IdP Entity ID regardless
  • Google Legacy SSO profile with domain-specific issuer — only affects Google authentication, not Microsoft-initiated SAML flows
  • Beta Graph API — same constraints
  • MSOnline module — fails with Negotiate/forbidden error

Questions:

  1. Is there any supported way to federate two domains in the same tenant to the same Google Workspace org?
  2. Is there a Graph API equivalent of the legacy -SupportMultipleDomain switch?
  3. domainB.com also returns "No matching stub found. Please reset the federation" on every update attempt — is this a known backend issue?

We have a support ticket open for 21 days with no engineer response.

Any help appreciated!

1 Reply

  • Josimar-Hedler's avatar
    Josimar-Hedler
    MCT
    Feb 28, 2026

    microtech​ 

    Hello

    Today, Entra requires that IssuerUri be globally unique per tenant for each federated domain. This validation is applied at the internalDomainFederation object level and not just per individual domain.

    Google Workspace, in turn, always uses the same Issuer/EntityID for all SAML applications within the same organization. This value is fixed and cannot be customized per domain or per application.

    As a result, when attempting to federate a second domain in the same tenant pointing to the same Google Workspace organization, Entra detects that the IssuerUri is already in use and returns the error:

    409 — Request_MultipleObjectsWithSameKeyValue

    The -SupportMultipleDomain parameter, available in the New-MgDomainFederationConfiguration and Update-MgDomainFederationConfiguration cmdlets, does not resolve this scenario. This parameter only allows multiple domains when the IdP supports distinct IssuerUri per domain, which is not the case with Google Workspace.

    Because the Google Workspace Issuer is global and immutable per organization, there is currently no supported way to federate multiple domains in the same tenant. Sign in to the same Google Workspace organization using standard domain federation.