Set-MsolDomainAuthentication. The multiple domains problem, and workaround

This post was originally published on this site


If you have found this webpage, you are probably trying to federate multiple mail domains registered in Office 365 with a single Identity Provider, which just doesn’t work. You may have an error similar to below.

Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication -DomainName $dom -Authentication Federat …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.


The problem

The problem here is that each mail domain you would like to federate has to federate with a unique Identity Provider URL. Let’s take a look at how that would look as a line of PowerShell.

Set-MsolDomainAuthentication -DomainName “” -Authentication Federated -FederationBrandName “Federtaion Brand Name” -PassiveLogOnUri “” -IssuerUri “” -LogOffUri “” -PreferredAuthenticationProtocol SAMLP -SigningCertificate “Your Cert Data”

The PassiveLogonUri, IssueUri, and LogoffUri have to be unique for each mail domain, even if all users exist in a single AzureAD domain or Identity Provider. This isn’t ideal and ultimately means you should create a new identity provider for each mail domain which leads to duplication of configuration and policies.

The workaround

What I am going

Want to learn more? Read the source post!