Office 365 SSO: Configuring multiple Office 365 tenants to use a single AD FS instance
Rate this post

Q: Can multiple Office 365 tenants use a single AD FS instance to provide SSO?

A: Yes

Overview

  • Office 365 tenant 1 is configured with the domain contoso.com
  • Office 365 tenant 2 is configured with the domain sub.contoso.com
  • Single Active Directory Forest with multiple UPNs configured (contoso.com and sub.contoso.com)
  • Single AD FS instance including an AD FS Proxy/Web Application Proxy published with the name sts.contoso.com
  • Two instances of Azure ADConnect configured with container filtering to ensure users are only synchronised to a single tenant

Configuring SSO

The Federation Trust for Tenant 1 is configured by establishing a Remote PowerShell session (with the Azure Active Directory Module loaded) and running the standard ‘Convert-MsolDomainToFederated’ cmdlet:

Convert-MsolDomainToFederated -DomainName contoso.com -SupportMultipleDomain

When it comes to configuring Tenant 2, things become a little more tricky. One of the features of the ‘Convert-MsolDomainToFederated’ cmdlet is that it performs the required configuration on Office 365 as well as the AD FS Farm. If you attempt to run this cmdlet against an AD FS Farm that has a Federation Trust established with a different tenant, it will fail and return an error. Therefore, we need to make use of the ‘Set-MsolDomainAuthentication’ cmdlet which only makes configuration changes to Office 365 and is usually used for establishing Federation Trusts with third party IdPs.

The first step is to export the token-signing certificate from the AD FS farm either via Windows Certificate Manager or via PowerShell:

$certRefs=Get-AdfsCertificate -CertificateType Token-Signing
$certBytes=$certRefs[0].Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes("c:\temp\tokensigning.cer", $certBytes)

Next, establish a Remote PowerShell session with Tenant 2 and then run the following script to configure the trust:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\temp\tokensigning.cer")
$certData = [system.convert]::tobase64string($cert.rawdata)
$dom="sub.contoso.com"
$url="https://sts.contoso.com/adfs/ls/"
$uri="http://sub.contoso.com/adfs/services/trust/"
$ura="https://sts.contoso.com/adfs/services/trust/2005/usernamemixed"
$logouturl="https://sts.contoso.com/adfs/ls/"
$metadata="https://sts.contoso.com/adfs/services/trust/mex"
#command to enable SSO
Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -ActiveLogOnUri $ura -PassiveLogOnUri $url -MetadataExchangeUri $metadata -SigningCertificate $certData -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol WsFed

Once configured, the configuration of both tenants can be validated using the ‘Get-MsolDomainFederationSettings’ cmdlet. The only difference when comparing the tenant configuration should be the ‘FederationBrandName’ and the ‘IssuerUri’ values.

Category:
ADFS, Office 365
Tags:
,

Leave a Reply

  Subscribe  
newest oldest most voted
Notify of
Richard
Guest
Richard

Great post, thank you for documenting this scenario.

binaryhero
Guest

Good post! But this would still imply that one user can only authenticate to one tenant – because they would only have one UPN – correct?

JP
Guest
JP

David, is this a supported scenario by Microsoft?

Thomas
Guest
Thomas

Great information.

Could a single tentant use multiple AD FS instances for authentication?

e.g. domain1.com uses ADFS farm sts.domain1.com
and
domain2.com uses ADFS farm sts.domain2.com

domain1.com and domain2.com are part of the same tentant.

Thanks.

Mark C
Guest
Mark C

Excellent post. Helped me a lot

MattA
Guest
MattA

Has anyone tried this with two different Proxy servers as well? our situation is unique in that we’d want to brand the proxy login page (and differnet language) according to which of the domains/upns are logging on.. Would that be possible?

kalpesh.surjiani@gmail.com
Guest
kalpesh.surjiani@gmail.com

HI David,

is this possible when we have 2 different account i.e. Exchange Online plan 2 & Office 365 E3?

Lucian Franghiu
Admin

Hey Kalpesh, yes, you can have mixed license environment in your tenant. Some users can have a EP2 license and others an E3.

Also fyi-
I don’t know what you would do this, but, you can have an E3 with EXO unticked, and an EP2 for the same user. Odd one, but, I hope I haven’t confused you!?!

Cheers,
Lucian

Bruno
Guest
Bruno

Hi all,

I have a question.
In my organization we have a on-prem Exchange 2010 with about 30 customers (one single forest with about 30 UPN Suffix added).
We need to move to Office 365, and every customer have is own tenant.

This solutions is the best? I have to create about 30 servers with Azure AD Connect.
But I only need one AD FS Proxy/Web Application Proxy, correct?

Thanks

Follow Us!

Kloud Solutions Blog - Follow Us!