Background
If you have found this webpage, you are probably trying to federate multiple mail domains registered in Office 365 with a single Identity Provider, which just doesn’t work. You may have an error similar to below.
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication -DomainName $dom -Authentication Federat …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.
Online.Administration.Automation.SetDomainAuthentication
The problem
The problem here is that each mail domain you would like to federate has to federate with a unique Identity Provider URL. Let’s take a look at how that would look as a line of PowerShell.
1 |
Set-MsolDomainAuthentication -DomainName "YourMailDOmain.com" -Authentication Federated -FederationBrandName "Federtaion Brand Name" -PassiveLogOnUri "https://your.idp.com/some/cool/saml/jazz" -IssuerUri "https://your.idp.com/some/cool/" -LogOffUri "https://your.idp.com/some/cool/saml/jazz" -PreferredAuthenticationProtocol SAMLP -SigningCertificate "Your Cert Data" |
The PassiveLogonUri, IssueUri, and LogoffUri have to be unique for each mail domain, even if all users exist in a single AzureAD domain or Identity Provider. This isn’t ideal and ultimately means you should create a new identity provider for each mail domain which leads to duplication of configuration and policies.
The workaround
What I am going to propose below is likely unsupported, follow at your own risk, you have been warned.
So we know the Identity Provider URL’s have to be unique per mail domain. What if we modify the URL so it ultimately points back to the same IDP but as far as Microsoft is concerned, it is a unique URL?
Let’s pass the URLs to a variable in PowerShell
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$dom = “YourMailDomain.com” $fedBrandName = "Federated Brand Name" $url = “https://your.idp.com/some/cool/saml/jazz " $uri = “https://your.idp.com/some/cool/saml ” $logouturl = “https://your.idp.com/some/cool/saml/jazz ” $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 “C:\Cert\IDPCert.crt” $certData = [system.convert]::tobase64string($cert.rawdata) |
Notice I have added some spaces to the end of the URL parameters.
As far as the command Set-MsolDomainAuthentication is concerned, it thinks this is a unique URL. For each mail domain, add an additional space.
Then to apply the federation settings
1 |
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -FederationBrandName $fedBrandName -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $certData |
Which means you will end up with something like this when you run Get-MsolDomain
It works, but as I say, very likely unsupported.
Thank you for this article. I spent hours trying to figure this shit out.