Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,821 questions
How to migrate a Relying Party Trust in ADFS for Office 365 (EntryID) to a new Forest
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 57.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMZ%3C/text%3E%3C/svg%3E)
Michael Zahneißen
0
Reputation points
We need to migrate ADFS (>5 years old) from an old AD forest to the new Forest. We use ADFS, among other things, for SSO with custom domains for EntraID.
For federation and creating the relying party with EntraID (Office 365 / Microsoft 365) I used to work with Powershell and MSOLService, which is outdated. Microsoft's recommendation is to use MSGraph with something in Powershell like New-MgDomainFederationConfiguration or Update-MgDomainFederationConfiguration. Unfortunately, no configuration of the ADFS is carried out here. Also I couldn't find any documentation for federation with ADFS and MS Graph.
In my tests to federate a new domain, I was able to federate it in EntraID, but I cannot delete or change it. The -InternalDomainFederationId is required for this, but it is not displayed anywhere.
What am I doing wrong and how do I do it right? Is there corresponding documentation.
Configuring ADFS via AzureADConnect is out of the question in this case.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 28,236 Reputation points Microsoft Employee2024-03-15T09:46:49.1533333+00:00 @Michael Zahneißen Thank you for reaching out to us, came across this document - https://learn.microsoft.com/en-us/graph/api/internaldomainfederation-update?view=graph-rest-1.0&tabs=http https://learn.microsoft.com/en-us/graph/api/resources/internaldomainfederation?view=graph-rest-1.0
check if this helps or not, else we can connect offline to understand the issue in detailed and assist you further.
-
Michael Zahneißen 0 Reputation points
2024-03-15T16:24:38.48+00:00 Hallo @Givary-MSFT , thanks for supporting me. I have seen and read the document. Unfortunately, it only explains a small part of the setup or update. With the deprecated Powershell module MSOnline, not only the federation was set in EntraID/AzureAD, but also the configuration of EntryID in ADFS. I couldn't find any documentation about this for future Tasks. For example, it would be important to know which claim rules need to be set and which identifiers need to be defined.
In the meantime I was able to delete the incorrect federation and create it again - now the InternalID was also created. But as already described, I am missing the details for the ADFS configuration EntraID (claim rules, identifiers ...).
-
Givary-MSFT 28,236 Reputation points Microsoft Employee
2024-03-18T15:37:52.6066667+00:00 @Michael Zahneißen Could you elaborate more on this statement - missing the details for the ADFS configuration EntraID (claim rules, identifiers), what exactly you are trying to configure so that I can help you further.
Sign in to comment