If you are an E3 customer and you’ve been setting up federated identities for Office 365 then doubtless you’ll be familiar with the following prose:
Connect-MsolService -Credential $cred
Set-MsolADFSContext -Computer myADFSserver
Convert-MsolDomainToFederated -DomainName mydomain.com
This little bit of Powershell connects the (AD FS) organization to the Microsoft Online domain and converts a standard MSOL domain to a federated one…
Successfully updated ‘mydomain.com’ domain.
And the process completes…cue muffled screams of joyous rapture / sighs of relief (delete as applicable), as we have a federated domain ready for use with Office 365, with SSO to the corporate mothership (AD). For 90% of us this is a most satisfactory result and worthy of a few grunts of appreciation. However, for the 10% whose avaricious nature compels us to add more Internet domains / or we simply have a morbid curiosity that can only be satiated by trying to break things with O365, we decide to try the same command again:
Convert-MsolDomainToFederated -DomainName yourdomain.com
Convert-MsolDomainToFederated : The federation service identifier specified in the Active Directory Federation Services 2.0 server is already in use. Please correct this value in the AD FS 2.0 Management console and run the command again
At line:1 char:30
+ Convert-MsolDomainToFederated <<<< -DomainName yourdomain.com
+ CategoryInfo : InvalidData: (:) [Convert-MsolDomainToFederated], FederationException
+ FullyQualifiedErrorId : DomainLiveNamespaceUriConflict,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated
Hmm.. this time round the very same command fails .. note that I’m adding a 2nd hypothetical domain called yourdomain.com… Looking at the Office 365 documentation for an explanation of why, a few pearls of wisdom are offered:
“Active Directory Federation Services only allows for one namespace per farm/instance”.
I’ll ghost the words “with Office 365” on the end of that. Apparently, this is an O365 beta issue that is, according to feedback from the forums, slated for resolution before go-live…… if you can’t wait, and need to add a second namespace, it entails standing up a completely new AD FS farm/instance in the meantime… an incentive methinks, if ever I’ve seen one, to move off bare metal and virtualise
4 thoughts on “Office 365 SSO and AD FS 2.0 Namespaces: There can be only one…..”
I have another issue with this process (I think I am somewhere in your 10%).
I didn’t try to add a second domain, but I get a weird message when trying to convert my domain to a federated from standard. Any ideas? See below..
PS C:\Windows\system32> Convert-MsolDomainToFederated -DomainName xxxxx.state.tx.us
Convert-MsolDomainToFederated : Microsoft.Online.Administration.Automation.Doma
At line:1 char:30
+ Convert-MsolDomainToFederated <<<< -DomainName xxxxx.state.tx.us
+ CategoryInfo : NotSpecified: (:) [Convert-MsolDomainToFederated
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.Domai
I’ve not seen that error before. Given that it’s a “ForbiddenWordException”, I wonder whether has something to do with the domain namespace in question. Have you raised a call with O365 support?
I am trying to do the multiple domains but I am not using AD FS for my federation services so how does one use this new command switch -SupportMultipleDomain which only seems to work with powershell commands that are specific to AD FS?
Are you trying to connect up with Shibboleth or another identity provider?