Q: Can multiple Office 365 tenants use a single AD FS instance to provide SSO?
- Office 365 tenant 1 is configured with the domain contoso.com
- Office 365 tenant 2 is configured with the domain sub.contoso.com
- Single Active Directory Forest with multiple UPNs configured (contoso.com and sub.contoso.com)
- Single AD FS instance including an AD FS Proxy/Web Application Proxy published with the name sts.contoso.com
- Two instances of Azure ADConnect configured with container filtering to ensure users are only synchronised to a single tenant
The Federation Trust for Tenant 1 is configured by establishing a Remote PowerShell session (with the Azure Active Directory Module loaded) and running the standard ‘Convert-MsolDomainToFederated’ cmdlet:
Convert-MsolDomainToFederated -DomainName contoso.com -SupportMultipleDomain
When it comes to configuring Tenant 2, things become a little more tricky. One of the features of the ‘Convert-MsolDomainToFederated’ cmdlet is that it performs the required configuration on Office 365 as well as the AD FS Farm. If you attempt to run this cmdlet against an AD FS Farm that has a Federation Trust established with a different tenant, it will fail and return an error. Therefore, we need to make use of the ‘Set-MsolDomainAuthentication’ cmdlet which only makes configuration changes to Office 365 and is usually used for establishing Federation Trusts with third party IdPs.
The first step is to export the token-signing certificate from the AD FS farm either via Windows Certificate Manager or via PowerShell:
$certRefs=Get-AdfsCertificate -CertificateType Token-Signing $certBytes=$certRefs.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) [System.IO.File]::WriteAllBytes("c:\temp\tokensigning.cer", $certBytes)
Next, establish a Remote PowerShell session with Tenant 2 and then run the following script to configure the trust:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\temp\tokensigning.cer") $certData = [system.convert]::tobase64string($cert.rawdata) $dom="sub.contoso.com" $url="https://sts.contoso.com/adfs/ls/" $uri="http://sub.contoso.com/adfs/services/trust/" $ura="https://sts.contoso.com/adfs/services/trust/2005/usernamemixed" $logouturl="https://sts.contoso.com/adfs/ls/" $metadata="https://sts.contoso.com/adfs/services/trust/mex" #command to enable SSO Set-MsolDomainAuthentication -DomainName $dom -Authentication Federated -ActiveLogOnUri $ura -PassiveLogOnUri $url -MetadataExchangeUri $metadata -SigningCertificate $certData -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol WsFed
Once configured, the configuration of both tenants can be validated using the ‘Get-MsolDomainFederationSettings’ cmdlet. The only difference when comparing the tenant configuration should be the ‘FederationBrandName’ and the ‘IssuerUri’ values.