AD FS 3.0 Configuring SSO for Multiple Domains/UPN Suffixes

Active Directory Federation Services 3.0 supports SSO for multiple domains by default. In previous versions of AD FS (2.0, and 2.1) a number of updates were required in order for it to support this. At one stage, if an organization required AD FS SSO for multiple domains they had to deploy multiple AD FS infrastructures to support this. 

If you are using Office 365 and currently have multiple UPN Suffixes in your organization, the way in which you convert your domain to a "federated" domain is slightly different than the way you would configure it with a single domain.

At a high level you must have the following configured to ensure you can use SSO with multiple domain names;

⦁ Additional UPN Suffixes defined under Active Directory Domains and Trusts
⦁ Additional Domains configured within Office 365

In my environment my primary domain is domain.com this is the FQDN my Active Directory domain uses. I am going to configure my ADFS/Office 365 to support SSO for domain1.com and domain2.com.

You can add additional domains in Office 365 from the Dashboard then Add Domain.

Once additional UPN's are added to a domain, you can use a user accounts property box under the Account tab, which UPN suffix is the default for that account.

The following commands are required if you have already converted your primary domain to a federated domain and SSO is working for the primary domain only. What this does is, revert the primary domain to a non-federated domain which removes the Office 365 Relay Trust from the AD FS infrastructure. The commands then create the Relay Trust and convert the primary domain back to being federated. The -SupportMultipleDomain is the important switch here.

Connect-MsolService Set-MsolAdfsContext -Computer "adfs.domain.com" Convert-MsolDomainToStandard -DomainName "adfs.domain.com" -SkipUserConversion $True Set-MsolAdfsContext -Computer "adfs.domain.com" Convert-MsolDomainToFederated -Domain "domain.com" -SupportMultipleDomain Convert-MsolDomainToFederated -Domain "domain1.com" -SupportMultipleDomain Convert-MsolDomainToFederated -Domain "domain2.com" -SupportMultipleDomain Update-MsolFederatedDomain -Domain "domain1.com" -SupportMultipleDomain Update-MsolFederatedDomain -Domain "domain2.com" -SupportMultipleDomain

If you have not yet configured your domain to be federated, you can skip the step Convert-MsolDomainToStandard.

You can check if everything has worked correctly by using the following command;

Get-MsolDomain

All of your domains should now be set to Federated.