Office 365 SSO and AD FS 2.0 Namespaces: There can be only one…..

If you are an E3 customer and you’ve been setting up federated identities for Office 365 then doubtless you’ll be familiar with the following prose:

$cred=Get-Credential
Connect-MsolService -Credential $cred
Set-MsolADFSContext -Computer myADFSserver
Convert-MsolDomainToFederated -DomainName mydomain.com

This little bit of Powershell  connects the (AD FS) organization to the Microsoft Online domain  and converts a standard MSOL domain to a federated one…

Successfully updated ‘mydomain.com’ domain.

And the process completes…cue muffled screams of joyous rapture / sighs of relief (delete as applicable), as we have a federated domain ready for use with Office 365, with SSO to the corporate mothership (AD). For 90% of us this is a most satisfactory result and worthy of a few grunts of appreciation. However, for the 10% whose avaricious nature compels us to add more Internet domains / or we simply have a morbid curiosity that can only be satiated by trying to break things with O365, we decide to try the same command again:

Convert-MsolDomainToFederated -DomainName yourdomain.com

Convert-MsolDomainToFederated : The federation service identifier specified in the Active Directory Federation Services 2.0 server is already in use. Please correct this value in the AD FS 2.0 Management console and run the command again

At line:1 char:30
+ Convert-MsolDomainToFederated <<<<  -DomainName yourdomain.com
+ CategoryInfo          : InvalidData: (:) [Convert-MsolDomainToFederated], FederationException
+ FullyQualifiedErrorId : DomainLiveNamespaceUriConflict,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated

Hmm.. this time round the very same command fails .. note that I’m adding a 2nd hypothetical domain called yourdomain.com… Looking at the Office 365 documentation for an explanation of why, a few pearls of wisdom are offered:

Active Directory Federation Services only allows for one namespace per farm/instance”. 

I’ll ghost the words “with Office 365” on the end of that.  Apparently, this is an O365 beta issue that is, according to feedback from the forums, slated for resolution before go-live……  if you can’t wait, and need to add a second namespace, it entails standing up a completely new AD FS farm/instance in the meantime… an incentive methinks, if ever I’ve seen one, to move off bare metal and virtualise Winking smile

4 thoughts on “Office 365 SSO and AD FS 2.0 Namespaces: There can be only one…..

  1. Hi,
    I have another issue with this process (I think I am somewhere in your 10%).
    I didn’t try to add a second domain, but I get a weird message when trying to convert my domain to a federated from standard. Any ideas? See below..

    PS C:\Windows\system32> Convert-MsolDomainToFederated -DomainName xxxxx.state.tx.us
    Convert-MsolDomainToFederated : Microsoft.Online.Administration.Automation.Doma
    inNameForbiddenWordException
    At line:1 char:30
    + Convert-MsolDomainToFederated <<<< -DomainName xxxxx.state.tx.us
    + CategoryInfo : NotSpecified: (:) [Convert-MsolDomainToFederated
    ], FederationException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.Domai
    nNameForbiddenWordException,Microsoft.Online.Identity.Federation.Powershel
    l.ConvertDomainToFederated

    1. Hi Mike,

      I’ve not seen that error before. Given that it’s a “ForbiddenWordException”, I wonder whether has something to do with the domain namespace in question. Have you raised a call with O365 support?

      Regards,
      Mylo

  2. I am trying to do the multiple domains but I am not using AD FS for my federation services so how does one use this new command switch -SupportMultipleDomain which only seems to work with powershell commands that are specific to AD FS?

    Regards,
    Frustrated User

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s