Sign up for Office 365
Learn more about Office 365
We are trying to achieve multiple UPN suffix federation in a single ADFS Farm
Single Active Directory Forest :
Single Active Directory Domain.
Primary domain = a.com
additinal UPN for child firm login = b.com
Primary Domain = 'a.com" ( this is simple and straight forward process we already did that )
Lets take an example that an organization is using addtional upn for its child firm name as "b.com" and and we want to federate that domain as well in ADFS farm.Is this doable or not ?
Do you want to deploy single sign-on (SSO) by using AD FS 2.0 and use multiple top level domains for users' user principal name (UPN) suffixes within their organization (for example, @contoso.us or @contoso.de)?
If so, yes.
Please refer to the following articles to use ADFS 2.0 Ru1 to achieve it.
I tried but is asking the password file and other attributes
PS C:\Windows\system32> Convert-MsolDomainToStandard -DomainName soarix.com
cmdlet Convert-MsolDomainToStandard at command pipeline position 1
Supply values for the following parameters:
i already convert that domain to federated domain and when i use to login with my secondary parent domain "b.com" it redirects to adfs server but when i provide my password it shows me the following error
There may be a system error. Please contact administrator at your organization if this problem persists
i dont want to convert my domain to standard as it is working fine and i read that all users have assigned a temporary password for that so in a case where we already configured SSO with our primary domain what is the best approach to add another secondary parent domain in my scenerio other then that
Thanks for your feedback.
For your question about Convert-MsolDomainToStandard command:
You may refer to the following example to convert the domain to be standard.
convert-MsolDomainToStandard –DomainName domain.com –passwordfile d:\password.txt –SkipUserConversion true
In addition, as for the concern about updating the second domain to be SupportMultipleDomain directly:
From my understanding, if both 2 domains need be used for Single Sign-On, the first domain should be added SupportMultipleDomain parameter when converting to the federated domain. As a result, it is necessary to re-convert the first domain to be federated with SupportMultipleDomain parameter before deploying the second domain for Single Sign-On.
Thanks for the Reply, Can you please confirm me do i need addtional SSL certificate for my secondary parent domain name as i already have my SSL certifictae against my primary parent domain .
Based on my understanding, there is no need to purchase additional SSL certificate for the secondary domain, and the SSL certificate should match the FQDN of your ADFS farm.
Thanks for the reply i have tried but i need more clerificaion in it i am following community.office365.com/.../support-for-multiple-top-level-domains.aspx that link it is mentioned in step in 3 Update-MsolFederatedDomain -DomainName <domainname) here i need to use the secondary parent domain and if yes i am facing an issue
Update-MsolFederatedDomain : The domain is not configured for single sign-on an
d cannot be updated.
At line:1 char:27
The secondary parent domain should have been converted to a federation domain first before you run the cmdlet Update-MsolFederatedDomain. Please use the following cmdlet to convert it first:
Convert-MsolDomainToFederated -DomainName <domain>
Please note that it is recommended to run the above cmdlet in your ADFS server, otherwise you have to run this cmdlet Set-MsolAdfscontext -Computer <AD FS 2.0 primary server> before you convert one domain to federated.
Thanks for the reply , yeh i have did that but after doing that my primary domain federation is working but secondary federated domain is not working and giving me this error
Your organization could not sign you in to this service.
There may be a system error. Please contact administrator at your organization if this problem persists.
how can i run that command
Update-MsolFederatedDomain -DomainName <domainname -SupportMulitpleDomain regarding this command i m running this command like that
how can i run this command if i have multiple domain let suppose
Domain a "Primary Domain"
Domain b "Secondary Domain"
and how can i verify that my ADFS server configured to support Multiple domain support however i have verified all configurtion from MSOL powershell by running this command
Get-MSOLFederationProperty -DomainName <domain> -SupportMulitpleDomain
i ran this command one by one for my both domain and all configuration is matched with office 365 and my adfs server .
From the description, supposed that you have deployed Single Sign-On (SSO) for “a.com”. Based on the current situation, you may try the following steps to deploy SSO for “b.com” to see if it works.
1. Use Convert-MsolDomainToStandard command to convert “a.com” from federated to standard domain.
2. Convert “a.com” back to be federated with the parameter –SupportMultipleDomain.
Convert-MsolDomainToFederated -DomainName <domain> -SupportMultipleDomain
3. If you have converted “b.com” to be federated, please convert it back to be standard domain first and follow the similar steps as “a.com” to convert to be federated with the parameter –SupportMultipleDomain.
How are the things going?
In addition, do you need further assistance on the issue?
Thanks for you followup, yes i have tried and it works for me thanks for your support and overall assistance but their is one thing left which i need more clerification is that once an enviornment was already federated with office 365 do you think it is good to convert it back to standard domain what happen if we again convert it to federated domain does it impact for the exisiting setup however i have already tried this on my test bed as their was a requirment to do so.
Another thing which i need to test to restrict office 365 Services by using ADFS Claim rule my only concern is that their is a requirment to restrict office 365 services for al lusers except only limited users allow to use all services i have tried by using Active Directory Security Group but it doesnot work for me i also tested this scenerio by using TMG and it successfully block Office 365 Exchange online and SharePoint Online but what abt lync,active sync and Exchange rich client outlook access by using Autodiscover if you have any idea i will be gratefull to you,
Thanks again for your support.
Thank you for your update. I am glad that the things are going well now.
Just for the information, it is just necessary to convert the domain back to standard if you have already converted the domain to federated without SupportMultipleDomain before. Meanwhile, converting domain between standard and federated will not cause the loss of data, for example, users' email.
For the second problem, do you want to prevent specific users from accessing online service of Office 365? If yes, you can simply remove the license of Office 365 for these users to archive this.
Is the information above useful?
In addition, do you need other assistance about using Office 365?