Forum Discussion
Nick_Chadwick
Mar 27, 2024Copper Contributor
Problems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-...
HTYZ1380
May 15, 2024Copper Contributor
Hi
I stucked a similar probrem as you.
I used old "Set-MsolDomainAuthentication" command and got my domain back to be managed.
Below is an example.
Set-MsolDomainAuthentication -DomainName "my.custom.domain" -Authentication Managed
Hope this helps
I stucked a similar probrem as you.
I used old "Set-MsolDomainAuthentication" command and got my domain back to be managed.
Below is an example.
Set-MsolDomainAuthentication -DomainName "my.custom.domain" -Authentication Managed
Hope this helps
Mosaic_Nick
May 17, 2024Copper Contributor
Thanks for that. Unfortunately it is too late for it to help in this case, as within a few days of making the original change, everyone in my organisation was unable to log in to Microsoft any more. I have since (for nearly 2 months!) been stuck in a hell of dealing with Microsoft support, which I can honestly say has been, and continues to be, an utter disgrace, and the worst customer experience I have experienced in my long career in IT. And still the situation is unresolved. No one in my company is able to access Office software or host Teams meetings, and I have everyone from the CEO down chasing me on a daily basis while I wait for another pointless call that will most likely get us no closer to a happy ending. And of course it's impossible to call them and get through to anyone who can help (I have personally sat on hold for 2+ hours on several occasions). If Microsoft wasn't such a huge company, they'd have gone out of business a long time ago, if this is how they look after their customers. Ho hum. Rant over, I guess.
- mzahneissenMay 27, 2024Copper ContributorWe had this problem too. But only with the second or further domains. The support couldn't help either and searched in completely the wrong direction.
I could solve it by changing the domain back to managed and federating it with New-MgDomainFederationConfiguration. It is important to note that the IssuerUri parameter must be individual for each domain. Otherwise the API will not understand that it is the same IDP (ADFS in our case) and will save a broken configuration. By the way, this also happens if other parameters are not 100% correct; a defective configuration is saved and blocks everything else. Error messages are usually not sufficiently informative.
If you have any questions, please feel free to get in touch.- MAEssigJun 18, 2024Copper ContributorWould be very curious if there is a way to clear out that sort of bad configuration, running into the same issue in a newly migrated environment as well.
- JimT1685Sep 24, 2024Copper Contributor
I just experienced this problem today and found this thread which was very helpful, so for the record here is the command that I used to reset to Managed that appears to have worked:
Update-MgDomain -DomainId <domain> -AuthenticationType "Managed"
After this, I was able to successfully run my New-MgDomainFederationConfiguration command corrected with the inclusion of -federatedIdpMfaBehavior
Hope this is helpful for you or someone else in future.