Creating Multiple Domains in Office 365 and Establishing Federation with Access Manager

  1. Ensure that you meet Prerequisite for creating a domain.

  2. Create a new Office 365 domain and verify it. See Adding and Verifying a Domain for Office 365.

    NOTE:Office 365 does not support creating a child domain if federation configuration for parent domain is already established by using powershell. Ensure that you add all child domains from the Office 365 admin center before establishing federation for the parent domain.

    For more information about establishing federation when there are multiple domains and a child domain, see Configuring Federation for Multiple Domains.

  3. According to the example used in section Enabling Federation Settings in Office 365 Domain, we have an existing domain named namtest.com.

    To create a new domain named namnetiq.in, run the following commands in Powershell by modifying the commands with your domain name as per your setup.

    1. Run $cred=Get-Credential. Enter your cloud service administrator account credentials.

    2. Run Connect-MsolService –Credential $cred

      For example, if the name of the domain is namnetiq.in and the Base URL of Identity Server is https://namnetiq.in/nidp/, run the following commands in Powershell:

      NOTE:

      • In the following example, port is not mentioned as it uses 443. However, if you are using port 8443, specify the port in Base URL as follows:

        https://namnetiq.in:8443/nidp/

      • When you add additional domains to Office 365 using Powershell commands, the variables $certdata, $url, $ecpurl, $logouturl,and $mex must contain the details provided for the existing domain. If you configure a new domain, change the values of $dom and the $uri

      1. $dom = "namnetiq.in"

      2. $url = "https://namtest/nidp/wsfed/ep"

      3. $ecpUrl = "https://namtest.com/nidp/wstrust/sts/active12"

      4. $uri = "https://namnetiq.in/nidp/wsfed/"

      5. $logouturl = "https://namtest.com/nidp/jsp/o365wsfedlogout.jsp"

      6. $mex = "https://namtest.com/nidp/wstrust/sts/mex"

      7. $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("name and path of the certificate")

        NOTE:

        • If the certificate has a .crt extension, ensure to convert it to .cer.

        • While executing this command, you must specify the path to the certificate within double quotes. For example: “C:\local\netiq-off365-sign.cer

      8. $certData = [system.convert]::tobase64string($cert.rawdata)

    3. Use the following cmdlet to update the settings of the single sign-on domain:

      Set-MsolDomainAuthentication -FederationBrandName -DomainName "federatedDomain.com" -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $logouturl -MetadataExchangeUri $mex

      To configure any more domains, follow the same steps. Ensure that the Issuer URI includes the UPN of the domain. For example, if you are configuring a domain named support.in, the Issuer URI will be https://support.in/nidp/wsfed/.

  4. Go to Devices > Identity Servers > Edit > Options and ensure that the value for STS OFFICE365 MULTI DOMAIN SUPPORT AUTO is configured as true. This property enables users to access Office 365 services using the Issuer URI specific to the domain they belong to.