adfs sso azure ad multiple domains

Ask Always 41 Reputation points
2021-07-14T15:37:57.38+00:00

Hello.

Scenario: Subdomain is already federated. Lets call this corp.contoso.com. Its issuerURI is http://corp.contoso.com/adfs/services/trust/. Users in subdomain use exchange online.

The top level domain, contoso.com, has been verified in Azure AD but not yet federated. Looking to federate it. Users in this domain have hybrid exchange with most on premise. There is password hash sync in place.

Using the below article for reference.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains

Question:
Since the subdomain is federated, Is convert-msolDomainIntoFederated -domainname consoto.com -SupportMultipleDomain the right way to proceed? I will be changing the UPN claims to the format specified in the article.

Thanks!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ask Always 41 Reputation points
    2021-08-05T13:58:42.777+00:00

    @Pierre Audonnet - MSFT

    The case was corp.contoso.com was federated but top level contoso.com wasn't.
    Procedure followed was:

    1. Open powershell with administrative privilege.
    2. Connect-Msolservice as the global administrator of "xxxx.onmicrosoft.com" domain. It will not let you federate if you login as contoso.com global admin
    3. Get-MsolDomainFederationSettings -DomainName <your domain> for both contoso.com and corp.contoso.com to see the current federation settings. Notice the IssuerUri. Contoso.com shouldn't return anything since not federated.
    4. Set-MsolADFSContext -computer <your adfs server-primary>
    5. Convert-MsolDomaintoFederated -DomainName contoso.com -SupportMultipleDomain
    6. Get-MsolDomainFederationSettings -DomainName <your domain> for both contoso.com and corp.contoso.com to see the current federation settings. Notice the IssuerUri. Both contoso and corp.contoso returns federation settings with different issueruri.
    7. Change the UPN claims rule in adfs to

    c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, "^.@([^.]+.)?(?<domain>([^.]+.?){2})$", "http://${domain}/adfs/services/trust/"));

    This worked.

    Reference article:
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains

    0 comments No comments