If you are an E3 customer and you’ve been setting up federated identities for Office 365 then doubtless you’ll be familiar with the following prose:
Connect-MsolService -Credential $cred
Set-MsolADFSContext -Computer myADFSserver
Convert-MsolDomainToFederated -DomainName mydomain.com
This little bit of Powershell connects the (AD FS) organization to the Microsoft Online domain and converts a standard MSOL domain to a federated one…
Successfully updated ‘mydomain.com’ domain.
And the process completes…cue muffled screams of joyous rapture / sighs of relief (delete as applicable), as we have a federated domain ready for use with Office 365, with SSO to the corporate mothership (AD). For 90% of us this is a most satisfactory result and worthy of a few grunts of appreciation. However, for the 10% whose avaricious nature compels us to add more Internet domains / or we simply have a morbid curiosity that can only be satiated by trying to break things with O365, we decide to try the same command again:
Convert-MsolDomainToFederated -DomainName yourdomain.com
Convert-MsolDomainToFederated : The federation service identifier specified in the Active Directory Federation Services 2.0 server is already in use. Please correct this value in the AD FS 2.0 Management console and run the command again
At line:1 char:30
+ Convert-MsolDomainToFederated <<<< -DomainName yourdomain.com
+ CategoryInfo : InvalidData: (:) [Convert-MsolDomainToFederated], FederationException
+ FullyQualifiedErrorId : DomainLiveNamespaceUriConflict,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated
Hmm.. this time round the very same command fails .. note that I’m adding a 2nd hypothetical domain called yourdomain.com… Looking at the Office 365 documentation for an explanation of why, a few pearls of wisdom are offered:
“Active Directory Federation Services only allows for one namespace per farm/instance”.
I’ll ghost the words “with Office 365” on the end of that. Apparently, this is an O365 beta issue that is, according to feedback from the forums, slated for resolution before go-live…… if you can’t wait, and need to add a second namespace, it entails standing up a completely new AD FS farm/instance in the meantime… an incentive methinks, if ever I’ve seen one, to move off bare metal and virtualise