Single sign-on (SSO) in a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune depends on an on-premises deployment of Active Directory Federation Services (AD FS) that functions correctly. Several scenarios require rebuilding the configuration of the federated domain in AD FS to correct technical problems. This article contains step-by-step guidance on how to update or to repair the configuration of the federated domain.
How to update the configuration of the federated domain
The configuration of the federated domain has to be updated in the scenarios that are described in the following Microsoft Knowledge Base articles.
2713898 "There was a problem accessing the site" error from AD FS when a federated user signs in to Office 365, Azure, or Intune
2535191""Sorry, but we're having trouble signing you in" and "80048163" error when a federated user tries to sign in to Office 365, Azure, or Intune
2647020 "Sorry, but we're having trouble signing you in" and "80041317" or "80043431" error when a federated user tries to sign in to Office 365, Azure, or Intune
2748507 Single sign-on (SSO) authentication for other SSO-enabled domains stops working after you run the convert-MSOLDomainToStandard cmdlet
To update the configuration of the federated domain on a domain-joined computer that has Azure Active Directory Module for Windows PowerShell installed, follow these steps:
Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
At the command prompt, type the following commands, and press Enter after each command:
$cred = get-credential
Note When you're prompted, enter your cloud service administrator credentials.
Notes Using the –supportmultipledomain switch is required when multiple top-level domains are federated by using the same AD FS federation service.
In these commands, the placeholder <Federated Domain Name> represents the name of the domain that is already federated.
Important A script is available to automate the update of federation metadata regularly to make sure that changes to the AD FS token signing certificate are replicated correctly.
The script creates a Windows scheduled task on the primary AD FS server to make sure that changes to the AD FS configuration such as trust info, signing certificate updates, and so on are propagated regularly to the Azure Active Directory (Azure AD).
If the token-signing certificate is automatically renewed in an environment where the script is implemented, the script will update the cloud trust info to prevent downtime that is caused by out-of-date cloud certificate info. A step-by-step deployment procedure is located at the following Microsoft website:
The following steps should be planned carefully. Users for whom the SSO functionality is enabled in the federated domain will be unable to authenticate during this operation from the completion of step 4 until the completion of step 5. If the update-MSOLFederatedDomain cmdlet test in step 1 is not followed successfully, step 5 will not finish correctly. Federated users will be unable to authenticate until the update-MSOLFederatedDomain cmdlet can be run successfully.
Run the steps in the "How to update the federated domain configuration" section earlier in this article to make sure that the update-MSOLFederatedDomain cmdlet finished successfully.
If the cmdlet did not finish successfully, do not continue with this procedure. Instead, see the "Known issues that you may encounter when you update or repair a federated domain" section later in this article to troubleshoot the issue.
If the cmdlet finishes successfully, leave the Command Prompt window open for later use.
Log on to the AD FS server. To do this, click Start, point to All Programs, point to Administrative Tools, and then click AD FS (2.0) Management.
In the left navigation pane, click AD FS (2.0), click Trust Relationships, and then click Relying Party Trusts.
In the rightmost pane, delete the Microsoft Office 365 Identity Platform entry.
In the Windows PowerShell window that you opened in step 1, re-create the deleted trust object. To do this, run the following command, and then press Enter: