This post was originally published on this site
Background
If you have found this webpage, you are probably trying to federate multiple mail domains registered in Office 365 with a single Identity Provider, which just doesn’t work. You may have an error similar to below.
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication -DomainName $dom -Authentication Federat …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.
Online.Administration.Automation.SetDomainAuthentication
The problem
The problem here is that each mail domain you would like to federate has to federate with a unique Identity Provider URL. Let’s take a look at how that would look as a line of PowerShell.
Set-MsolDomainAuthentication -DomainName “YourMailDOmain.com” -Authentication Federated -FederationBrandName “Federtaion Brand Name” -PassiveLogOnUri “https://your.idp.com/some/cool/saml/jazz” -IssuerUri “https://your.idp.com/some/cool/” -LogOffUri “https://your.idp.com/some/cool/saml/jazz” -PreferredAuthenticationProtocol SAMLP -SigningCertificate “Your Cert Data”
The PassiveLogonUri, IssueUri, and LogoffUri have to be unique for each mail domain, even if all users exist in a single AzureAD domain or Identity Provider. This isn’t ideal and ultimately means you should create a new identity provider for each mail domain which leads to duplication of configuration and policies.
The workaround
What I am going
Want to learn more? Read the source post!
Previous Post
Next Post