![]() ![]() ![]() Select the second domain you wish to configure for federation.īy using the PowerShell command Get-MsolDomainFederationSettings -DomainName you can view the updated IssuerUri.Enter your Azure AD and Active Directory credentials.Choose “Add an additional Azure AD Domain”.Launch Azure AD Connect from the desktop or start menu. ![]() Use the following steps to add the new top-level domain using Azure AD Connect. In PowerShell, enter New-MsolFederatedDomain –SupportMultipleDomain –DomainName.Enter the username and password of a Hybrid Identity Administratoristrator for the Azure AD domain you are federating with.Use the following steps to add the new top-level domain using PowerShell So using the above domains it would be: Update-MsolFederatedDomain -DomainName -SupportMultipleDomain In PowerShell, enter Update-MSOLFederatedDomain -DomainName -SupportMultipleDomain.In PowerShell, enter Connect-MsolService -Credential $cred.Enter the username and password of a Hybrid Identity Administrator for the Azure AD domain you are federating with.On a machine that has Azure Active Directory Module for Windows PowerShell installed on it run the following PowerShell: $cred=Get-Credential.On the right, delete the Microsoft Office 365 Identity Platform entry.On the left, expand Trust Relationships and Relying Party Trusts.On your AD FS federation server open AD FS Management.Use the following steps to remove the Microsoft Online trust and update your original domain. If you have not added a top-level domain yet, you can start with the steps for adding a domain using PowerShell of Azure AD Connect. If you have already added a domain, and did not use the -SupportMultipleDomain parameter, start with the steps for removing and updating your original domain. Use the steps below to add an additional top-level domain. Simply trying to run Update-MsolFederatedDomain -DomainName -SupportMultipleDomain on the original domain will also result in an error. If you try to add the -SupportMultipleDomain switch, you will receive the following error: If you have successfully added a new domain in the Azure portal and then attempt to convert it using Convert-MsolDomaintoFederated -DomainName, you will get the following error. In the screenshot below, you can see the IssuerUri is set to. The reason is, when it is originally set up without the -SupportMultipleDomain parameter, the IssuerUri is set with the default value. If you did not set up the federated trust between AD FS and your instance of Azure AD, you may need to re-create this trust. How to update the trust between AD FS and Azure AD In order to use the -SupportMultipleDomain switch when attempting to add new or convert already existing domains, your federated trust needs to have already been set up to support them. The following customized claim rule implements this logic: c: => issue(Type = "", Value = regexreplace(c.Value, " Important This element will match the Azure AD configuration, and authentication will succeed. If, a match cannot be found, the authentication will fail.įor example, if a user’s UPN is the IssuerUri element in the token, AD FS issuer, will be set to. Thus during authentication to Azure AD or Microsoft 365, the IssuerUri element in the user’s token is used to locate the domain in Azure AD. This value is set by taking the domain portion of the user's UPN and using it as the domain in the IssuerUri, that is, suffix}/adfs/services/trust. SupportMultipleDomain also ensures that the AD FS system includes the proper Issuer value in tokens issued for Azure AD. SupportMultipleDomain does not change the other endpoints, which are still configured to point to the federation service on. Looking at the screenshot for the domain you can see the following settings: Using the parameter allows the PowerShell command to complete successfully. The IssuerUri will be unique across directories in Azure AD. This parameter makes Azure AD configure the IssuerUri so that it is based on the name of the domain. This parameter is used with the following cmdlets: ![]() To work around this constraint, you need to add a different IssuerUri, which can be done by using the -SupportMultipleDomain parameter. The reason is, Azure AD has a constraint that does not allow the IssuerUri property to have the same value for more than one domain. When you attempt to convert the domain to be federated, an error occurs. Now a second, top-level domain, has been added. For this document, the domain, is being used. For example, let's say you have set up federation between Azure AD and your on-premises environment. Ī problem arises when you add more than one top-level domain. You can view the IssuerUri by using the PowerShell command Get-MsolDomainFederationSettings -DomainName. The federation service is an instance of AD FS that functions as the security token service. The federation service identifier is a URI that uniquely identifies a federation service. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |