Add Support for Multiple Domains for federation with O365

Occasional Contributor

Hi Team,

 

We currently have ADFS (ADFS is running on Windows 2016) in place for around 100 users auth to 365 using a single domain 'domain1.com', we have federated it and enabled SSO.

 

We now need to federate additional domains - 'domain2.com and domain3.com'

   The new domains have been added and verified in 365 so now show as managed domains

 

The original domain1.com  did not have the -supportmultipldomains switch used when it was converted to a federated domain. 

What do we need to do here?  

Should we remove the Microsoft Online trust from AD FS federation server Management Console?

and then update original domain . Though, i assume it will be done during non-business hours.

Password synch is enabled and we do not want to change passwords of users.
What will be the Impact on 100 or more current users of The original domain1.com,
if we delete the Microsoft Office 365 Identity Platform entry from our AD FS federation server Management Console? Please explain the impact on the Production Users.

Thanks!

3 Replies
Unfortunately you will have to switch back to standard domain, and then run the command again with the switch this time.
You definitely want to do this during non-business hours.
We now need to federate additional domains - 'domain2.com and domain3.com'

The new domains have been added and verified in 365 so now show as managed domains



Thanks for your reply.
Password synch is enabled and we do not want to change passwords of users.
What will be the Impact on 100 or more current users of The original domain1.com,
if we delete the Microsoft Office 365 Identity Platform entry from our AD FS federation server Management Console? Please explain the impact on the Production Users.

Thanks!

Hi,

I've done this many times and there really isn't a long out-of-service period, maybe 1 minute or so.

 

# Connect to Office 365
Connect-MsolService

# Tell to Office 365 what ADFS server to use. Must be the primary ADFS Server if using Windows Internal DB
Set-MsolADFSContext -Computer <PrimaryADFSServer>

# Convert domain to standard without converting users.
Convert-MsolDomainToStandard -DomainName <yourdomain> -PasswordFile pwd.txt -SkipUserConversion $true
# Convert domain back to federated
Convert-MsolDomainToFederated -DomainName <yourdomain> -SupportMultipleDomain

# In secondary ADFS servers, restart ADFS service to update the config data
Restart-Service ADFSSrv