Configuring multiple UPN for ADFS SSO support with Office 365?

EnterpriseArchitect 4,826 Reputation points
2020-07-17T11:53:36.613+00:00

I've deployed ADFS 4.0 using Windows Server 2016 and OnPremise AD is synched using Azure AD Connect for the Hybrid configuration.

Since our AD structure is Single Forest Single Domain AD and I can see the information like below from the Azure console: Primary domain is just one that is domain.com

However, we have multiple users with different UPN configured in AD.

So shall I execute it for each UPN or just one for domain.com only?

Based on: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains

Powershell script **

  • Rollout Plan

** 

$Cred = Get-Credential  
Connect-MSOLservice -Credential $Cred  
  
# For all users that login with the UPN First.LastName@domain.com  
$Domain = 'domain.com'  
Convert-MsolDomainToFederated -DomainName $Domain -SupportMultipleDomain  
Get-MsolDomainFederationSettings -DomainName $Domain  
  
# For all users that login with the UPN First.LastName@company1.net  
$Domain = 'company1.net'  
Convert-MsolDomainToFederated -DomainName $Domain -SupportMultipleDomain  
Get-MsolDomainFederationSettings -DomainName $Domain  
  
# For all users that login with the UPN First.LastName@Subsidiary2.org  
$Domain = 'Subsidiary2.org'  
Convert-MsolDomainToFederated -DomainName $Domain -SupportMultipleDomain  
Get-MsolDomainFederationSettings -DomainName $Domain

**

  • Rollback Plan

** 

Install-Module -Name AzureAD  
Connect-AzureAD (use Global.Admin@ParentCompany.onmicrosoft.com - Azure Cloud only account)  
  
# For all users that login with the UPN First.LastName@domain.com  
Set-MsolDomainAuthentication -Domain 'domain.com' -Authentication Managed  
  
# For all users that login with the UPN First.LastName@company1.net  
Set-MsolDomainAuthentication -Domain 'company1.net' -Authentication Managed  
  
# For all users that login with the UPN First.LastName@Subsidiary2.org  
Set-MsolDomainAuthentication -Domain 'Subsidiary2.org' -Authentication Managed

Any help and suggestion would be greatly appreciated.

Thank you in advance.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,201 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,660 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-07-20T08:32:48.177+00:00

    @EnterpriseArchitect Please find the answer to your questions regarding Rollout and Rollback plan:

    • Rollout Plan

    If you have added 'domain.com', 'company1.net' & 'Subsidiary2.org' domains as verified domains to your tenant and users will be typing their usernames as
    'username@keyman .com', 'username@company1.net' & 'username@Subsidiary2.org' to sign-in to Azure Portal, you would need to run Convert-MsolDomainToFederated -DomainName $Domain -SupportMultipleDomain cmdlet for each domain.

    • Rollback Plan

    The Set-MsolDomainAuthentication cmdlet updates only the settings in Azure Active Directory. You should use Convert-MsolDomainToStandard cmdlet instead.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.