Authentication fails with an error stating "The requested federation realm object '< Object ID >' does not exist"
Authentication fails with the error "The requested federation realm object '< Object ID >' does not exist" for users who are part of domain that is federated with a third party identity provider in either Microsoft Entra ID or Microsoft 365.
This failure happens when the third Party identity provider returns the wrong IssuerURI within the Issuer field in the Security Assertion Markup Language (SAML) response.
Resolution 1
Contact the support team for the third party identity provider and have them correct the IssuerURI, returned as Issuer, in the SAML the response returned to either Microsoft Entra ID or Microsoft 365, through the client.
Resolution 2
Use the command Set-MsolDomainFederationSettings
to modify the IssuerURI of the federated domain to match the realm object listed in the error.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
Connect to Microsoft Entra ID using the MSONLINE module. To check that the module is installed, open PowerShell and execute the
get-module MSONLINE -ListAvailable
command.Follow the steps outlined in Install the Azure AD module to install the module.
Run the following commands to verify the preferred authentication protocol of the federated domain.
$federationSettings=Get-MsolDomainFederationSettings -DomainName domain.com $federationSettings.PreferredAuthenticationProtocol
If the
PreferredAuthenticationProtocol
value listed in step 3 is shown as WSFED, run the following command to update the IssuerURI.Set-MsolDomainFederationSettings -DomainName domain.com -IssuerUri "value of federated realm object listed in the authentication failure message"
The necessary IssuerURI value is listed by Microsoft Entra ID in the authentication failure message.
If the
PreferredAuthenticationProtocol
value listed in step 3 is SAMLP (SAML Protocol), run the following command to update the IssuerURI.Set-MsolDomainFederationSettings -DomainName domain.com -IssuerUri "value of federated realm object listed in the authentication failure message" -PreferredAuthenticationProtocol samlp
The necessary IssuerURI value is listed by Microsoft Entra ID in the authentication failure message.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for