Sign up for Office 365
Learn more about Office 365
Before moving on, I would like to confirm the detailed information about the requirement.
You have added custom domain “contoso.com” to Office 365. Moreover, you deployed Single Sign-On for users with extension “contoso.com”, such as email@example.com. Now, you added a subdomain “fs.contoso.com” to Office 365 and create users with extension, such as firstname.lastname@example.org.
You need to let email@example.com sign in Office 365 via Single Sign-On, and let user firstname.lastname@example.org sign in Office 365 via cloud-based credential. Have I got this right?
If so, based on my test, it cannot be achieved in Office 365 currently.
If a subdomain (here is fs.contoso.com) needs to be converted to federated domain, the root domain (here is contoso.com) needs to be converted to federated first. Moreover, if the root domain is federated, the subdomain will be converted to federated too.
If I misunderstand the issue, please feel free to post detailed information about the current situation and a detailed example of the requirement.
1 out of 1 people found this post helpful.
Thank you for you reply (this give me view of the picture). Lets describe my situation more detailed.
- I have o365 Cloud based users logged in with: email@example.com
- I have Active Directory with follwoing usernames: firstname.lastname@example.org
- I want to do Federation between my AD and my o365 cloud service to use SSO
- I can't use domain contoso.com to be federated domain
- If i use some other domain like @other.com will i be able to use again @contoso.com for logging (like it's on cloud based o365 to choose from list of available domains) or i only will be able to log-in with federated domain or its subdomain (@other.com or @xx.other.com)
Thanks in Advached
Thanks for your feedback.
Based on my test, it isn’t available currently.
As I mentioned in the last reply, in this case, the subdomain (here is ad.contoso.com) cannot be converted to Federated domain directly if the root domain (here is contoso.com) is not federated domain.
As for the last question:
Do you mean that if one custom domain (here is other.com) is converted to federated domain, can other users with another custom domain (here is contoso.com) extension use cloud-based credential to sign in Office 365?
If so, Yes.
I'm writing to follow up my previous reply.
If you need further assistance on this issue, please feel free to post back.
Thanks for following this.
Just last quick one to completley close this.
- If I use email@example.com before o365 to local ADFS federation. and after federation i use firstname.lastname@example.org as i can't federate contoso.com Will my usesrs keep @contoso.com for sending and receiving mails. As new UPN and login-name will be email@example.com?
yes, you can change your user upn with command set-msoluserprincipalname. however, you should login to OWA with your upn, instead of using email address.
To confirm the information you have received, the UPN and SMTP addresses don't have to match, but you will want to plan your O365 and on-premises UPN/SMTP association very carefully.
1. If the O365 and on-premises UPN matches, then everything is good and you can stop here.
2. If the O365 and on-premises UPN do NOT match, then the on-premises user object has to have an smtp address that matches the O365 UPN
Basically, the UPN in O365 needs to be routable back to your ADFS server and then an address (UPN or smtp/SMTP) of the on-premises user needs to be associated with the object that matches the O365 UPN.
Have a great day,
Is the information above useful?
In addition, do you need other assistance about using Office 365?
Yes it was usefull for this first Phase. of my project.
When I start to ipmplement federation and Dirsync of our o365 with on-premises AD will have mor questions i guess :)
Thanks you this tread can be closed now