Home

Add Support for Multiple Domains for federation with O365

%3CLINGO-SUB%20id%3D%22lingo-sub-188626%22%20slang%3D%22en-US%22%3EAdd%20Support%20for%20Multiple%20Domains%20for%20federation%20with%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20Team%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20currently%20have%20ADFS%20(ADFS%20is%20running%20on%20Windows%202016)%20in%20place%20for%20around%20100%20users%20auth%20to%20365%20using%20a%20single%20domain%20'domain1.com'%2C%20we%20have%20federated%20it%20and%20enabled%20SSO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20now%20need%20to%20federate%20additional%20domains%20-%20'domain2.com%20and%20domain3.com'%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3BThe%20new%20domains%20have%20been%20added%20and%20verified%20in%20365%20so%20now%20show%20as%20managed%20domains%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20original%20domain1.com%26nbsp%3B%20did%20not%20have%20the%20-supportmultipldomains%20switch%20used%20when%20it%20was%20converted%20to%20a%20federated%20domain.%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20do%20we%20need%20to%20do%20here%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EShould%20we%26nbsp%3Bremove%20the%20Microsoft%20Online%20trust%20from%20AD%20FS%20federation%20server%20Management%20Console%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eand%20then%20update%20original%20domain%20.%20Though%2C%20i%20assume%20it%20will%20be%20done%20during%20non-business%20hours.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EPassword%20synch%20is%20enabled%20and%20we%20do%20not%20want%20to%20change%20passwords%20of%20users.%3CBR%20%2F%3E%3CSPAN%3EWhat%20will%20be%20the%20Impact%20on%20100%20or%20more%20current%20users%20of%20The%20original%20domain1.com%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Eif%20we%20delete%20the%20Microsoft%20Office%20365%20Identity%20Platform%20entry%20from%20our%20AD%20FS%20federation%20server%20Management%20Console%3F%20Please%20explain%20the%20impact%20on%20the%20Production%20Users.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-188626%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20Premise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212468%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20Support%20for%20Multiple%20Domains%20for%20federation%20with%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212468%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI've%20done%20this%20many%20times%20and%20there%20really%20isn't%20a%20long%20out-of-service%20period%2C%20maybe%26nbsp%3B1%20minute%20or%20so.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%23%20Connect%20to%20Office%20365%3CBR%20%2F%3EConnect-MsolService%3CBR%20%2F%3E%3CBR%20%2F%3E%23%20Tell%20to%20Office%20365%20what%20ADFS%20server%20to%20use.%20Must%20be%20the%20primary%20ADFS%20Server%20if%20using%20Windows%20Internal%20DB%3CBR%20%2F%3ESet-MsolADFSContext%20-Computer%20%3CPRIMARYADFSSERVER%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%23%20Convert%20domain%20to%20standard%20without%20converting%20users.%3CBR%20%2F%3EConvert-MsolDomainToStandard%20-DomainName%20%3CYOURDOMAIN%3E%20-PasswordFile%20pwd.txt%20-SkipUserConversion%20%24true%3CBR%20%2F%3E%23%20Convert%20domain%20back%20to%20federated%3CBR%20%2F%3EConvert-MsolDomainToFederated%20-DomainName%20%3CYOURDOMAIN%3E%20-SupportMultipleDomain%3CBR%20%2F%3E%3CBR%20%2F%3E%23%20In%20secondary%20ADFS%20servers%2C%20restart%20ADFS%20service%20to%20update%20the%20config%20data%3CBR%20%2F%3ERestart-Service%20ADFSSrv%3C%2FYOURDOMAIN%3E%3C%2FYOURDOMAIN%3E%3C%2FPRIMARYADFSSERVER%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188847%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20Support%20for%20Multiple%20Domains%20for%20federation%20with%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188847%22%20slang%3D%22en-US%22%3EWe%20now%20need%20to%20federate%20additional%20domains%20-%20'domain2.com%20and%20domain3.com'%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20new%20domains%20have%20been%20added%20and%20verified%20in%20365%20so%20now%20show%20as%20managed%20domains%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20your%20reply.%3CBR%20%2F%3EPassword%20synch%20is%20enabled%20and%20we%20do%20not%20want%20to%20change%20passwords%20of%20users.%3CBR%20%2F%3EWhat%20will%20be%20the%20Impact%20on%20100%20or%20more%20current%20users%20of%20The%20original%20domain1.com%2C%3CBR%20%2F%3Eif%20we%20delete%20the%20Microsoft%20Office%20365%20Identity%20Platform%20entry%20from%20our%20AD%20FS%20federation%20server%20Management%20Console%3F%20Please%20explain%20the%20impact%20on%20the%20Production%20Users.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188829%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20Support%20for%20Multiple%20Domains%20for%20federation%20with%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188829%22%20slang%3D%22en-US%22%3EUnfortunately%20you%20will%20have%20to%20switch%20back%20to%20standard%20domain%2C%20and%20then%20run%20the%20command%20again%20with%20the%20switch%20this%20time.%3CBR%20%2F%3EYou%20definitely%20want%20to%20do%20this%20during%20non-business%20hours.%3C%2FLINGO-BODY%3E
Highlighted
Manmeet Singh
Occasional Contributor

Hi Team,

 

We currently have ADFS (ADFS is running on Windows 2016) in place for around 100 users auth to 365 using a single domain 'domain1.com', we have federated it and enabled SSO.

 

We now need to federate additional domains - 'domain2.com and domain3.com'

   The new domains have been added and verified in 365 so now show as managed domains

 

The original domain1.com  did not have the -supportmultipldomains switch used when it was converted to a federated domain. 

What do we need to do here?  

Should we remove the Microsoft Online trust from AD FS federation server Management Console?

and then update original domain . Though, i assume it will be done during non-business hours.

Password synch is enabled and we do not want to change passwords of users.
What will be the Impact on 100 or more current users of The original domain1.com,
if we delete the Microsoft Office 365 Identity Platform entry from our AD FS federation server Management Console? Please explain the impact on the Production Users.

Thanks!

3 Replies
Unfortunately you will have to switch back to standard domain, and then run the command again with the switch this time.
You definitely want to do this during non-business hours.
We now need to federate additional domains - 'domain2.com and domain3.com'

The new domains have been added and verified in 365 so now show as managed domains



Thanks for your reply.
Password synch is enabled and we do not want to change passwords of users.
What will be the Impact on 100 or more current users of The original domain1.com,
if we delete the Microsoft Office 365 Identity Platform entry from our AD FS federation server Management Console? Please explain the impact on the Production Users.

Thanks!

Hi,

I've done this many times and there really isn't a long out-of-service period, maybe 1 minute or so.

 

# Connect to Office 365
Connect-MsolService

# Tell to Office 365 what ADFS server to use. Must be the primary ADFS Server if using Windows Internal DB
Set-MsolADFSContext -Computer <PrimaryADFSServer>

# Convert domain to standard without converting users.
Convert-MsolDomainToStandard -DomainName <yourdomain> -PasswordFile pwd.txt -SkipUserConversion $true
# Convert domain back to federated
Convert-MsolDomainToFederated -DomainName <yourdomain> -SupportMultipleDomain

# In secondary ADFS servers, restart ADFS service to update the config data
Restart-Service ADFSSrv

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies