Error when you try to configure a second federated domain in Office 365: "Federation service identifier specified in the AD FS 2.0 server is already in use."

This article discusses Microsoft Office 365, Microsoft Office 365 Preview, and Microsoft Office 365 pre-upgrade. The info about Office 365 Preview in this article, including any links, is provided as is and is subject to change without notice.

In Microsoft Office 365, you can't set up a second federated domain on an Active Directory Federation Services (AD FS) 2.0 server. When you use the Windows Azure Active Directory Module for Windows PowerShell to run the new-MSOLFederatedDomain cmdlet or the convert-MSOLDomainToFederated cmdlet, you receive the following error message:

The federation service identifier specified in the Active Directory Federation Services 2.0 server is already in use. Please correct this value in the AD FS 2.0 Management console and run the command again.

The Windows Azure Active Directory (Windows Azure AD) authentication system requires a unique federation brand uniform resource identifier (URI) for each federated domain. By default, AD FS 2.0 uses a global value for all federated trusts. When you try to federate a second domain in a scenario where a federated trust already exists, the request fails because the URI is already being used.

SOLUTION

To resolve the issue, you must use the -supportmultipledomain switch to add or convert every domain that is federated by Office 365. This includes federated domains that already exist.

Step 1: Install Update Rollup 1 for AD FS 2.0

On each node of the AD FS 2.0 Federation Service farm, download and install Update Rollup 1 for AD FS 2.0. For more information about how to download and install Update Rollup 1 for AD FS 2.0, click the following article number to view the article in the Microsoft Knowledge Base:

2607496 Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

Note This update requires a restart of the computer. If you do not restart the computer, you will experience the issue that is described in the following article in the Microsoft Knowledge Base: 

2635357 Unable to logon after implementing multiple top level domain or client access policies

Step 2: Check that the update-MSOLFederatedDomain cmdlet can be run successfully against the AD FS 2.0 environment

a.       Click Start, point to All Programs, point to Windows Azure Active Directory, right-click Windows Azure Active Directory Module for Windows PowerShell and select Run As Administrator.

b.       At the command prompt, run the following cmdlets in the order in which they are presented. Press Enter after each cmdlet.

a.  Connect-MSOLService

Note When you are prompted, enter your Office 365 global administrator credentials.

b.  Set-MSOLADFSContext -Computer <AD FS 2.0 server name>

Note In this command, <AD FS 2.0 server name> is the computer name of a node in the AD FS 2.0 Federation Service farm.

c.  Update-MSOLFederatedDomain -DomainName <Federated Domain Name>

Note In this command, <Federated Domain Name> is the name of the domain that is already federated with Windows Azure AD for single sign-On (SSO).

Leave the Command Prompt window open for later use.

3. If the update-MSOLFederatedDomain cmdlet is successful and you do not receive error messages, go to step 3 to remove the federated trust from the AD FS 2.0 server

Step 3: Update the federated trust on the AD FS 2.0 server

Warning The following steps should be planned carefully. Users for which SSO functionality is enabled in the federated domain will be unable to authenticate between the completion of steps C and D. If the update-MSOLFederatedDomain cmdlet test in step 2 was not completed successfully, step D of this procedure will not finish correctly. SSO-enabled Office 365 users will be unable to authenticate until the update-MSOLFederatedDomain cmdlet can be run successfully.

a.   Log on to the console of the AD FS 2.0 server, click Start, point to All Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

b.       In the left navigation pane, click AD FS 2.0, click Trust Relationships, and then click Relying Party Trusts.

c.        In the pane on the right side, delete the Microsoft Office 365 Identity Platform entry.

d.       Re-create the deleted trust object by using the -supportmultipledomain switch. In the PowerShell window that is open from step 1C, run the following cmdlet, and then press Enter:

Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -supportmultipledomain

Note In this command, <Federated Domain Name> is the name of the domain that is already federated with Office 365 for SSO.

Step 4: Use the -supportmultipledomain switch to add or convert additional federated domains

After you update the existing trust in step 2, use the -supportmultipledomain switch to add or convert additional federated domains. This switch informs the cmdlet to use a unique URI namespace for each domain that is federated by Office 365. To do this, use one of the following cmdlet syntaxes:

·         New-MSOLFederatedDomain -domainname <domain name> -supportmultipledomain

·         Convert-MSOLDomainToFederated -domainname <domain name> -supportmultipledomain

Note In this command, <domain name> represents the name of the domain that you are trying to federate.