The ‘ SupportMultipleDomains’ switch creates a third claim rule when you add or update a federated domain for the first time so the Office 365 relying party trust is configured to identify multiple domains. You’ll have to specify the ‘SupportMultipleDomains’ switch the first time you add a federated domain, otherwise the cmdlet errors out with the following error messages.
‘The switch parameter SupportMultipleDomain is not supported here’
‘The federation service identifier specified in the Active Directory Federation Services 2.0 server is already in use.’
Documentation states that you’ll have to delete the relying party trust manually and recreate it again (with the third claim rule) by executing any ‘MsolFederatedDomain’ cmdlet using the ‘-SupportMultipleDomains‘ switch. But you can also try my quick solution and execute the code snippets below to update the claim rules and then update the existing domains with the ‘Set-MsolDomainFederationSettings‘ cmdlet.
|
1 2 3 4 5 6 7 8 9 10 |
$Claims = @' c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value); c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"); c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/")); '@ Set-ADFSRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' -IssuanceTransformRules $Claims |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$Domain = 'customer.com' # ADFS Federation Settings $Brand = 'Contoso' $ActiveSO = 'https://sts.contoso.com/adfs/services/trust/2005/usernamemixed' $PLUri = 'https://sts.contoso.com/adfs/ls/' $IssuerUri = "http://$Domain/adfs/services/trust/" # NOTICE the $Domain variable $Metadata = 'https://sts.contoso.com/adfs/services/trust/mex' # Public key of the ADFS code signing certificate, this is an example $Cert = "MIIC3jCCAcaGAwIBAiIQZy18ai4/1qNKekSKawAD2jBNAgkqhkiG9w0BAQsFADArMSkwJwYDVRRDEyBBREZTIFNpZ25bpmcgLSBzdHNud1Vya29ubG..SHORTENED..fXunm6+Tp0e11zorVaeA4nu46fAKnf9+E/Iumw1GcC/Kca4T+8SaWp8Zjip74zCY4zPOQ" # Set new Federation properties Set-MsolDomainFederationSettings –DomainName $Domain -FederationBrandName $brand -PassiveLogOnUri $PLUri -SigningCertificate $Cert -IssuerUri $IssuerUri -ActiveLogOnUri $ActiveSO -LogOffUri $PLUri -MetadataExchangeUri $metadata |
