No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Multiple #Office365 domains (UPN suffixes) per ADFS Farm

  • 5 Followers
  • 14 Replies |
  • This post has 3 verified answers |
Answered (Verified) This question is answered

We are trying to achieve multiple UPN suffix federation in a single ADFS Farm

 

Scenario :

 

Single Active Directory Forest :

Single Active Directory Domain.

Primary domain = a.com

additinal UPN for child firm login = b.com

 

Primary Domain = 'a.com" ( this is simple and straight forward process we already did that )

Lets take an example that an organization is using addtional upn for its child firm name as "b.com" and and we want to federate that domain as well in ADFS farm.Is this doable or not ?

  • Post Points: 20
Verified Answer
  • Hello Arsaleng82,

    Do you want to deploy single sign-on (SSO) by using AD FS 2.0 and use multiple top level domains for users' user principal name (UPN) suffixes within their organization (for example, @contoso.us or @contoso.de)?

    If so, yes.
    Please refer to the following articles to use ADFS 2.0 Ru1 to achieve it.
    http://support.microsoft.com/kb/2607496
    http://community.office365.com/en-us/w/sso/support-for-multiple-top-level-domains.aspx

    Best regards,
    Claud

    • Top 10 Contributor
    • Post Points: 0
  • I tried but is asking the password file and other attributes

    PS C:\Windows\system32> Convert-MsolDomainToStandard -DomainName soarix.com

    cmdlet Convert-MsolDomainToStandard at command pipeline position 1

    Supply values for the following parameters:

    PasswordFile:

    i already convert that domain to federated domain and when i use to login with my secondary  parent domain "b.com" it redirects to adfs server but when i provide my password it shows me the following error

    There may be a system error. Please contact administrator at your organization if this problem persists

    i dont want to convert my domain to standard as it is working fine and i read that all users have assigned a temporary password for that so in a case where we already configured SSO with our primary domain what is the best approach to add another secondary parent domain in my scenerio other then that

    • Top 500 Contributor
    • Post Points: 0
  • Hello Arsaleng82,

    Thanks for your feedback.
    For your question about Convert-MsolDomainToStandard command:
    You may refer to the following example to convert the domain to be standard.
    convert-MsolDomainToStandard –DomainName domain.com –passwordfile d:\password.txt –SkipUserConversion true

    In addition, as for the concern about updating the second domain to be SupportMultipleDomain directly:
    From my understanding, if both 2 domains need be used for Single Sign-On, the first domain should be added SupportMultipleDomain parameter when converting to the federated domain. As a result, it is necessary to re-convert the first domain to be federated with SupportMultipleDomain parameter before deploying the second domain for Single Sign-On.

    Best regards,
    Claud

    • Top 10 Contributor
    • Post Points: 0
All Replies
  • Hello Arsaleng82,

    Do you want to deploy single sign-on (SSO) by using AD FS 2.0 and use multiple top level domains for users' user principal name (UPN) suffixes within their organization (for example, @contoso.us or @contoso.de)?

    If so, yes.
    Please refer to the following articles to use ADFS 2.0 Ru1 to achieve it.
    http://support.microsoft.com/kb/2607496
    http://community.office365.com/en-us/w/sso/support-for-multiple-top-level-domains.aspx

    Best regards,
    Claud

    • Top 10 Contributor
    • Post Points: 0
  • Thanks for the Reply, Can you please confirm me do i need addtional SSL certificate for my secondary parent domain name as i already have my SSL certifictae against my primary parent domain .

    • Top 500 Contributor
    • Post Points: 0
  • Hi Arsaleng82,

    Based on my understanding, there is no need to purchase additional SSL certificate for the secondary domain, and the SSL certificate should match the FQDN of your ADFS farm.

    Thanks,
    Reken Liu

    • Top 25 Contributor
    • Male
    • Post Points: 0
  • Thanks for the reply i have tried but i need more clerificaion in it i am following community.office365.com/.../support-for-multiple-top-level-domains.aspx that link it is mentioned in step in 3 Update-MsolFederatedDomain -DomainName <domainname) here i need to use the secondary parent domain and if yes i am facing an issue

    Update-MsolFederatedDomain : The domain is not configured for single sign-on an

    d cannot be updated.

    At line:1 char:27

    • Top 500 Contributor
    • Post Points: 0
  • Hi Arsaleng82,

    The secondary parent domain should have been converted to a federation domain first before you run the cmdlet Update-MsolFederatedDomain. Please use the following cmdlet to convert it first:

    Convert-MsolDomainToFederated -DomainName <domain>

    Please note that it is recommended to run the above cmdlet in your ADFS server, otherwise you have to run this cmdlet Set-MsolAdfscontext -Computer <AD FS 2.0 primary server> before you convert one domain to federated.

    Thanks,
    Reken Liu

    • Top 25 Contributor
    • Male
    • Post Points: 0
  • Thanks for the reply , yeh i have did that but after doing that my primary domain federation is working but secondary federated domain is not working and giving me this error

    Your organization could not sign you in to this service.

    There may be a system error. Please contact administrator at your organization if this problem persists.

    • Top 500 Contributor
    • Post Points: 0
  • how can i run that command

    Update-MsolFederatedDomain -DomainName <domainname -SupportMulitpleDomain  regarding this command i m running this command like that

    how can i run this command if i have multiple domain let suppose

    Domain a "Primary Domain"

    Domain b  "Secondary Domain"

    and how can i verify that my ADFS server configured to support Multiple domain support however i have verified all configurtion from MSOL powershell by running this command

    Get-MSOLFederationProperty -DomainName <domain> -SupportMulitpleDomain

    i ran this command one by one for my both domain and all configuration is matched with office 365 and my adfs server .

    • Top 500 Contributor
    • Post Points: 0
  • Hello Arsaleng82,

    From the description, supposed that you have deployed Single Sign-On (SSO) for “a.com”. Based on the current situation, you may try the following steps to deploy SSO for “b.com” to see if it works.
    1. Use Convert-MsolDomainToStandard command to convert “a.com” from federated to standard domain.
    http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125002.aspx#BKMK_sso
    2. Convert “a.com” back to be federated with the parameter –SupportMultipleDomain.
    Convert-MsolDomainToFederated -DomainName <domain>  -SupportMultipleDomain
    3. If you have converted “b.com” to be federated, please convert it back to be standard domain first and follow the similar steps as “a.com” to convert to be federated with the parameter –SupportMultipleDomain.

    Best regards,
    Claud

    • Top 10 Contributor
    • Post Points: 0
  • I tried but is asking the password file and other attributes

    PS C:\Windows\system32> Convert-MsolDomainToStandard -DomainName soarix.com

    cmdlet Convert-MsolDomainToStandard at command pipeline position 1

    Supply values for the following parameters:

    PasswordFile:

    i already convert that domain to federated domain and when i use to login with my secondary  parent domain "b.com" it redirects to adfs server but when i provide my password it shows me the following error

    There may be a system error. Please contact administrator at your organization if this problem persists

    i dont want to convert my domain to standard as it is working fine and i read that all users have assigned a temporary password for that so in a case where we already configured SSO with our primary domain what is the best approach to add another secondary parent domain in my scenerio other then that

    • Top 500 Contributor
    • Post Points: 0
  • Hello Arsaleng82,

    Thanks for your feedback.
    For your question about Convert-MsolDomainToStandard command:
    You may refer to the following example to convert the domain to be standard.
    convert-MsolDomainToStandard –DomainName domain.com –passwordfile d:\password.txt –SkipUserConversion true

    In addition, as for the concern about updating the second domain to be SupportMultipleDomain directly:
    From my understanding, if both 2 domains need be used for Single Sign-On, the first domain should be added SupportMultipleDomain parameter when converting to the federated domain. As a result, it is necessary to re-convert the first domain to be federated with SupportMultipleDomain parameter before deploying the second domain for Single Sign-On.

    Best regards,
    Claud

    • Top 10 Contributor
    • Post Points: 0
  • Hello Arsaleng82,

    How are the things going?
    In addition, do you need further assistance on the issue?

    Best regards,
    Claud

    • Top 10 Contributor
    • Post Points: 0
  • Hi Claud,

    Thanks for you followup, yes i have tried and it works for me thanks for your support and overall assistance but their is one thing left which i need more clerification is that once an enviornment was already federated with office 365 do you think it is good to convert it back to standard domain what happen if we again convert it to federated domain does it impact for the exisiting setup however i have already tried this on my test bed as their was a requirment to do so.

    Another thing which i need to test to restrict office 365 Services by using ADFS Claim rule my only concern is that  their is a requirment to restrict office 365 services for al lusers except only limited users allow to use all services i have tried by using Active Directory Security Group but it doesnot work for me i also tested this scenerio by using TMG and it successfully block Office 365 Exchange online and SharePoint Online but what abt lync,active sync and Exchange rich client outlook access  by using Autodiscover if you have any idea i will be gratefull to you,

    Thanks again for your support.

    • Top 500 Contributor
    • Post Points: 0
  • Hello Arsaleng82,

    Thank you for your update. I am glad that the things are going well now.

    Just for the information, it is just necessary to convert the domain back to standard if you have already converted the domain to federated without SupportMultipleDomain before. Meanwhile, converting domain between standard and federated will not cause the loss of data, for example, users' email.

    For the second problem, do you want to prevent specific users from accessing online service of Office 365? If yes, you can simply remove the license of Office 365 for these users to archive this.

    Thank you.

    Jack Sun

    • Top 50 Contributor
    • Post Points: 0
  • Hello Arsaleng82,

    Is the information above useful?
    In addition, do you need other assistance about using Office 365?

    Best regards,
    Claud

    • Top 10 Contributor
    • Post Points: 0
Page 1 of 1 (15 items)