AD FS & Office 365 Multi Domain Federation

Often happen that a customer has more then one email domain in his On-Premises infrastructure. This should be considered when you plan to deploy AD FS Services to enable Single Sign-On with Office 365.
With the newest version of Azure AD Connect, steps to federate On Premises AD DS with Azure AD is fully automated though it assumes that the domain specified during the wizard steps is the only one domain you want to federate (If you need an overview of Azure AD Connect step-by-step configuration, please refer to Microsoft Docs here).

This will cause disruption of users login to Office 365 apps. To solve this situation you need to change the federation mode configured by the wizard manually using Powershell and set it to a Multi Domain federation.
To do this you need to follow these steps:

  1. delete the Relay Party Trust directly from AD FS Server
  2. open Windows Azure Active Directory Module for Windows PowerShell from the server where Azure AD Connect is installed
  3. execute this Powershell commands:
$cred=get-credential
connect-MSOLService -Credential $cred
Set-MsolADFSContext -Computer <internalADFSserverName>
Update-MsolFederatedDomain -DomainName <FederatedDomainFQDN> -SupportMultipleDomain

At this point, if you want to add another domain to your AD FS federation, you need to convert it from Managed to Federated:

Convert-MsolDomainToFederated -DomainName <DomainToAddFQDN> -SupportMultipleDomain

At the end of the day, Get-MsolDomain will show you the list of Azure AD Domain and their Authentication methods (Federated or Managed).

Domains for which authentication method is Federated, AD FS will provide Single Sign-On and for Managed domain, Password Sync provided by Azure AD Connect is still enabled.

Hope this could help in your journey to the Cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.