Share via

Federated a domain...made mistake...then removed federation. Now federation fails.

Pat Olson 0 Reputation points
2026-02-25T17:43:27.4466667+00:00

Federated a domain, and made a mistake with the issuer URI.....so removed federation per microsoft best practices (https://learn.microsoft.com/en-us/education/windows/configure-aad-google-trust)

Now when I try to re-federate....there is an error with "resource already exists" except it doesn't.... Here is a timeline of commands....some information redacted. I can't find the duplicate config anywhere...every tool I use says this is something MS needs to fix on the back end, but guess what, I can't open a ticket...only use Q&A.

PS /Users/o/PowerShell Scripts> Get-MgDomainFederationConfiguration -DomainId ********

Get-MgDomainFederationConfiguration_List: Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present.

Status: 404 (NotFound)

ErrorCode: Request_ResourceNotFound

Date: 2026-02-25T17:34:41

Headers:

Cache-Control                 : no-cache

Vary                          : Accept-Encoding

Strict-Transport-Security     : max-age=31536000

request-id                    : dd284287-a461-450b-a07d-d73a7f2ac9c2

client-request-id             : ab41a7bb-327a-48ea-b492-18b13f2dc0a5

x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Central US","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"DS3PEPF0000B47B"}}

x-ms-resource-unit            : 1

Date                          : Wed, 25 Feb 2026 17:34:40 GM

  Recommendation: See service error codes: https://learn.microsoft.com/graph/errors

PS /Users/o> Get-MgDomain -DomainId "*********" | Select Id, AuthenticationType, IsVerified                                                                                                                              

Id                AuthenticationType IsVerified

--                ------------------ ----------

*******. Managed                  True

PS /Users/o/PowerShell Scripts> cat ./WGC_GoogleIDP_Setup.ps1           

$xml = [Xml]

$cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()

Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

$domainAuthParams = @{

  DomainId = "REDACTED"

  IssuerUri = "https://accounts.google.com"

  DisplayName = "Google Workspace Identity"

  ActiveSignInUri = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED"

  PassiveSignInUri = "https://accounts.google.com/o/saml2/idp?idpid=REDACTED"

  SignOutUri = "https://accounts.google.com/logout"

  SigningCertificate = $cert

  PreferredAuthenticationProtocol = "saml"

  federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp"

}

echo $domainAuthParams

New-MgDomainFederationConfiguration @domainAuthParams

PS /Users/o/PowerShell Scripts> ./WGC_GoogleIDP_Setup.ps1

Welcome to Microsoft Graph!

Connected via delegated access using REDACTED

Readme: https://aka.ms/graph/sdk/powershell

SDK Docs: https://aka.ms/graph/sdk/powershell/docs

API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

NOTE: Sign in by Web Account Manager (WAM) is enabled by default on Windows systems and cannot be disabled when using the default ClientId.

To disable WAM run Set-MgGraphOption -DisableLoginByWAM $true and then use a custom ClientId.

Name                           Value

----                           -----

IssuerUri                      https://accounts.google.com

PassiveSignInUri               https://accounts.google.com/o/saml2/idp?idpid=REDACTED

DisplayName                    Google Workspace Identity

DomainId                       REDACTED

SignOutUri                     https://accounts.google.com/logout

SigningCertificate             REDACTED

federatedIdpMfaBehavior        acceptIfMfaDoneByFederatedIdp

PreferredAuthenticationProtoc… saml

ActiveSignInUri                https://accounts.google.com/o/saml2/idp?idpid=REDACTED

New-MgDomainFederationConfiguration_CreateExpanded: /Users/o/PowerShell Scripts/WGC_GoogleIDP_Setup.ps1:20

Line |

  20 |  New-MgDomainFederationConfiguration @domainAuthParams

     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     | Resource already exists.  Status: 409 (Conflict) ErrorCode: Request_MultipleObjectsWithSameKeyValue Date: 2026-02-25T15:33:00  Headers:

     | Cache-Control                 : no-cache Vary                          : Accept-Encoding Strict-Transport-Security     : max-age=31536000

     | request-id                    : f615e5de-06da-4632-8f7b-0497b36694f8 client-request-id             : 7f3ae106-3e4c-4861-ab6e-865ecfebdcf4

     | x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Central

     | US","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"DS1PEPF0003FB75"}} x-ms-resource-unit            : 1 Date                        

     | : Wed, 25 Feb 2026 15:32:59 GM

  Recommendation: See service error codes: https://learn.microsoft.com/graph/errors

PS /Users/o/PowerShell Scripts> Get-MgDomain -DomainId "REDACTED" | Select Id, AuthenticationType, IsVerified

Id                AuthenticationType IsVerified

--                ------------------ ----------

REDACTED. Federated                True

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 9,430 Reputation points Microsoft External Staff Moderator
    2026-02-25T18:54:49.8766667+00:00

    Hello Pat Olson,

    Thank you for sharing the detailed command output and timeline.

    Based on the behavior you’re seeing, this does not appear to be a PowerShell or permissions issue. The symptoms point to a federation configuration conflict caused by the IssuerUri, which can persist even after federation is removed.

    Although Get-MgDomainFederationConfiguration returns 404, the 409 Conflict (Request_MultipleObjectsWithSameKeyValue) error indicates that Microsoft Entra ID still detects an existing federation reference by key. In this scenario, the key is typically the IssuerUri, which must be globally unique across federated domains in the tenant.

    In your script, the IssuerUri is set to:

    https://accounts.google.com

    For Google Workspace SAML federation, this value is too generic and commonly causes this issue after a remove / re‑create attempt.

    Recommended resolution:

    Please update the IssuerUri to use the EntityID from the Google IdP metadata, which is unique per IdP instance. It usually looks like:

    https://accounts.google.com/o/saml2?idpid=XXXXXXXX

    You can extract this directly from the Google metadata XML:

    PowerShell

    [xml]$xml = Get-Content ".\GoogleIDPMetadata.xml"

    $issuer = $xml.EntityDescriptor.entityID

    Show more lines

    Then re‑run New-MgDomainFederationConfiguration using that IssuerUri value.

    If the error continues after switching to the metadata EntityID, please let me know.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.