Article ID: 2618887 - View products that this article applies to.
In a Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune, you can't set up a second federated domain on an Active Directory Federation Services (AD FS) server. When you use the Azure Active Directory Module for Windows PowerShell to run the new-MSOLFederatedDomain cmdlet or the convert-MSOLDomainToFederated cmdlet, you receive the following error message:
The federation service identifier specified in the Active Directory Federation Services 2.0 server is already in use. Please correct this value in the AD FS 2.0 Management console and run the command again.
The Azure Active Directory (Azure AD) authentication system requires a unique federation brand uniform resource identifier (URI) for each federated domain. By default, AD FS uses a global value for all federated trusts. When you try to federate a second domain in a scenario where a federated trust already exists, the request fails because the URI is already being used.
To resolve the issue, you must use the -supportmultipledomain switch to add or convert every domain that's federated by the cloud service. This includes federated domains that already exist.
Step 1: Install Update Rollup 1 for AD FS 2.0On each node of the AD FS 2.0 Federation Service farm, download and install Update Rollup 1 for AD FS 2.0. For more information about how to download and install Update Rollup 1 for AD FS 2.0, click the following article number to view the article in the Microsoft Knowledge Base:
2607496Note This update requires a restart of the computer. If you do not restart the computer, you will experience the issue that's described in the following article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/2607496/ )Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0
(http://support.microsoft.com/kb/2635357/ )"Sorry, but we're having trouble signing you in" and "8004789A" error when a federated user tries to sign in to Office 365, Azure, or Windows Intune
Step 2: Check that the update-MSOLFederatedDomain cmdlet can be run successfully against the AD FS environment
Step 3: Update the federated trust on the AD FS server
Warning The following steps should be planned carefully. Users for which SSO functionality is enabled in the federated domain will be unable to authenticate between the completion of steps C and D. If the update-MSOLFederatedDomain cmdlet test in step 2 was not completed successfully, step D of this procedure will not finish correctly. Federated users will be unable to authenticate until the update-MSOLFederatedDomain cmdlet can be run successfully.
Step 4: Use the -supportmultipledomain switch to add or convert additional federated domainsAfter you update the existing trust in step 2, use the -supportmultipledomain switch to add or convert additional federated domains. This switch informs the cmdlet to use a unique URI namespace for each domain that's federated by the cloud service. To do this, use one of the following cmdlet syntaxes:
Implement an AD FS Federation Service farm to federate every cloud service domain for which SSO features will be used. AD FS implementation guidance for Office 365 can be found at the following Microsoft websites:
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2618887 - Last Review: July 9, 2014 - Revision: 18.0