Step 1: Install Update Rollup 1 for AD FS 2.0On each node of the AD FS 2.0 Federation Service farm, download and install Update Rollup 1 for AD FS 2.0. For more information about how to download and install Update Rollup 1 for AD FS 2.0, click the following article number to view the article in the Microsoft Knowledge Base:
Step 2: Check that the update-MSOLFederatedDomain cmdlet can be run successfully against the AD FS environment
- Click Start, point to All Programs, point to Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell and select Run As Administrator.
- At the command prompt, run the following cmdlets in the order in which they are presented. Press Enter after each cmdlet.
Note When you are prompted, enter your cloud service global administrator credentials.
Set-MSOLADFSContext -Computer <AD FS 2.0 server name>
Note In this command, <AD FS 2.0 server name> is the computer name of a node in the AD FS Federation Service farm.
Update-MSOLFederatedDomain -DomainName <Federated Domain Name>
Note In this command, <Federated Domain Name> is the name of the domain that's already federated with Azure AD for single sign-On (SSO).
Leave the Command Prompt window open for later use.
- If the update-MSOLFederatedDomain cmdlet is successful and you do not receive error messages, go to step 3 to remove the federated trust from the AD FS server.
Step 3: Update the federated trust on the AD FS server
Warning The following steps should be planned carefully. Users for which SSO functionality is enabled in the federated domain will be unable to authenticate between the completion of steps C and D. If the update-MSOLFederatedDomain cmdlet test in step 2 was not completed successfully, step D of this procedure will not finish correctly. Federated users will be unable to authenticate until the update-MSOLFederatedDomain cmdlet can be run successfully.
- Log on to the console of the AD FS server, click Start, point to All Programs, point to Administrative Tools, and then click AD FS (2.0) Management.
- In the left navigation pane, click AD FS (2.0), click Trust Relationships, and then click Relying Party Trusts.
- In the pane on the right side, delete the Microsoft Office 365 Identity Platform entry.
- Re-create the deleted trust object by using the -supportmultipledomain switch. In the PowerShell window that's open from step 1C, run the following cmdlet, and then press Enter:
Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -supportmultipledomain
Note In this command, <Federated Domain Name> is the name of the domain that's already federated with the cloud service for SSO.
Step 4: Use the -supportmultipledomain switch to add or convert additional federated domainsAfter you update the existing trust in step 2, use the -supportmultipledomain switch to add or convert additional federated domains. This switch informs the cmdlet to use a unique URI namespace for each domain that's federated by the cloud service. To do this, use one of the following cmdlet syntaxes:
New-MSOLFederatedDomain -domainname <domain name> -supportmultipledomain
Convert-MSOLDomainToFederated -domainname <domain name> -supportmultipledomain
Note In this command, <domain name> represents the name of the domain that you are trying to federate.
- Step-by-step implementation guidance
Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on
- Office 365 community: Directory Integration Services discussion forum
- Office 365 community: Directory Integration Services wiki
Article ID: 2618887 - Last Review: Dec 16, 2016 - Revision: 1