Name Change Office 365 Hybrid ADConnect Covert Managed Domain

MaBa217 1 Reputation point
2020-12-16T16:45:56.367+00:00

Hi Guys,

One of our companies want to change their Company Name. Our current Office 365 exists with multiple Federated domains. We use Azure Connect to sync changes from Onprem AD to Office 365. Our Primary domain is onmicrosoft.com because we have a about 30 Operating Company's. main domains for those company's are federated.

The New domain is is configured as Managed domain and i want to convert it to a federated domain. After some research i saw that i need to execute this command on the ADFS Server:

Convert-MsolDomainToFederated -DomainName domain.com -SupportMultipleDomain

Is the SupportMultipleDomain Switch really required ? I don't want to make this my primary domain.

Is this the only thing i need to do for converting it into the een federated domain ?

Do I need to add this domain or Refresh AD Connect to include this new domain ?

Any help is much appreciated!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,464 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. mirba-msft 651 Reputation points Microsoft Employee
    2020-12-17T12:55:44.023+00:00

    Hello @MaBa217

    Thank you for reaching out to us.

    In reference to your questions please find the answers below

    Is the SupportMultipleDomain Switch really required ? I don't want to make this my primary domain.

    When you attempt to convert the new managed domain to be federated domain, without using SupportMultipleDomain an error will occurs. The reason is, Azure AD has a constraint that does not allow the IssuerUri property to have the same value for more than one domain.
    To work around this constraint, you need to add a different IssuerUri, which can be done by using the -SupportMultipleDomain parameter. That is the reason SupportMultipleDomain is required.

    Is this the only thing i need to do for converting it into the federated domain ?

    In order to use the -SupportMultipleDomain switch when attempting to add new or convert already existing domains, your federated trust needs to have already been set up to support them.

    If you did not set up the federated trust between AD FS and your instance of Azure AD, you may need to re-create this trust. The reason is, when it is originally set up without the -SupportMultipleDomain parameter, the IssuerUri is set with the default value. In the screenshot below, you can see the IssuerUri is set to https://adfs.bmcontoso.com/adfs/services/trust.
    If you have successfully added a new domain in the Azure AD portal and then attempt to convert it using Convert-MsolDomaintoFederated -DomainName <your domain>, you will get the following error.

    49211-image.png

    If you try to add the -SupportMultipleDomain switch, you will receive the following error:

    49183-image.png

    Simply trying to run Update-MsolFederatedDomain -DomainName <your domain> -SupportMultipleDomain on the original domain will also result in an error.

    49107-image.png

    Use the steps below to add an additional top-level domain. If you have already added a domain, and did not use the -SupportMultipleDomain parameter, start with the steps for removing and updating your original domain. If you have not added a top-level domain yet, you can start with the steps for adding a domain using PowerShell of Azure AD Connect.

    Use the following steps to remove the Microsoft Online trust and update your original domain.

    1. On your AD FS federation server open AD FS Management.
    2. On the left, expand Trust Relationships and Relying Party Trusts
    3. On the right, delete the Microsoft Office 365 Identity Platform entry.

    49164-image.png

    1. On a machine that has Azure Active Directory Module for Windows PowerShell installed on it run the following: $cred=Get-Credential.
    2. Enter the username and password of a global administrator for the Azure AD domain you are federating with.
    3. In PowerShell, enter Connect-MsolService -Credential $cred
    4. In PowerShell, enter Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -SupportMultipleDomain. This update is for the original domain. So using the above domains it would be: Update-MsolFederatedDomain -DomainName bmcontoso.com -SupportMultipleDomain

    Use the following steps to add the new top-level domain using PowerShell

    1. On a machine that has Azure Active Directory Module for Windows PowerShell installed on it run the following: $cred=Get-Credential.
    2. Enter the username and password of a global administrator for the Azure AD domain you are federating with
    3. In PowerShell, enter Connect-MsolService -Credential $cred
    4. In PowerShell, enter New-MsolFederatedDomain –SupportMultipleDomain –DomainName

    Use the following steps to add the new top-level domain using Azure AD Connect.

    1. Launch Azure AD Connect from the desktop or start menu
    2. Choose “Add an additional Azure AD Domain” 49197-image.png
    3. Enter your Azure AD and Active Directory credentials
    4. Select the second domain you wish to configure for federation.

    49109-image.png

    More information about this process can be found in this link.

    In case you have any questions on the same, you can surely let us know and we will be happy to help you further. If this post provides you the answer you were looking for, do accept it as an answer in the interest of community members with similar queries. If this does not answer, please ask further in the comments and we will happy to address your concerns.
    Thank you.

    3 people found this answer helpful.
    0 comments