Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Single sign-on (SSO) in a Microsoft cloud service such as Microsoft 365, Microsoft Azure, or Microsoft Intune depends on an on-premises deployment of Active Directory Federation Services (AD FS) that functions correctly. Several scenarios require rebuilding the configuration of the federated domain in AD FS to correct technical problems. This article contains step-by-step guidance on how to update or to repair the configuration of the federated domain.
The configuration of the federated domain has to be updated in the scenarios that are described in the following Microsoft Knowledge Base articles.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
To update the configuration of the federated domain on a domain-joined computer that has Azure Active Directory module for Windows PowerShell installed, follow these steps:
Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory module for Windows PowerShell.
At the command prompt, type the following commands, and press Enter after each command:
$cred = get-credential
Note
When you're prompted, enter your cloud service administrator credentials.
Connect-MSOLService –credential:$cred
Set-MSOLADFSContext –Computer: <AD FS 2.0 ServerName>
Note
In this command, the placeholder <AD FS 2.0 Server Name> represents the Windows host name of the primary AD FS server.
Update-MSOLFederatedDomain –DomainName: <Federated Domain Name>
or
Update-MSOLFederatedDomain –DomainName: <Federated Domain Name> –supportmultipledomain
Note
Important
A script is available to automate the update of federation metadata regularly to make sure that changes to the AD FS token signing certificate are replicated correctly.
The script creates a Windows scheduled task on the primary AD FS server to make sure that changes to the AD FS configuration such as trust info, signing certificate updates, and so on are propagated regularly to the Microsoft Entra ID.
If the token-signing certificate is automatically renewed in an environment where the script is implemented, the script will update the cloud trust info to prevent downtime that is caused by out-of-date cloud certificate info.
The configuration of the federated domain has to be repaired in the scenarios that are described in the following Microsoft Knowledge Base articles.
To repair the federated domain configuration on a domain-joined computer that has Azure Active Directory module for Windows PowerShell installed, follow these steps.
Warning
Update-MSOLFederatedDomain -DomainName <Federated Domain Name>
or
Update-MSOLFederatedDomain –DomainName:<Federated Domain Name> –supportmultipledomain
Note
The following scenarios cause problems when you update or repair a federated domain:
You can't connect by using Windows PowerShell. For more info about this issue, see the following Microsoft Knowledge Base article:
2494043 You cannot connect by using the Azure Active Directory module for Windows PowerShell
The Azure Active Directory module for Windows PowerShell can't load because of missing prerequisites. For more info, see the following Microsoft Knowledge Base article:
2461873 You can't open the Azure Active Directory module for Windows PowerShell
You get an "Access Denied" error message when you try to run the set-MSOLADFSContext cmdlet. For more info, see the following Microsoft Knowledge Base article:
2587730 "The connection to <ServerName> Active Directory Federation Services 2.0 server failed" error when you use the Set-MsolADFSContext cmdlet
Still need help? Go to Microsoft Community or the Microsoft Entra Forums website.
Events
Microsoft 365 Community Conference
May 6, 2 PM - May 9, 12 AM
Skill up for the era of AI at the ultimate community-led Microsoft 365 event, May 6-8 in Las Vegas.
Learn moreTraining
Module
Troubleshoot Federation Issues - Training
We will discuss federation and interoperability between Teams and Skype for Business.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.