Federating a sub-domain in Office 365

  • Article

 Written By: Ervin Barabas (O365 Support Engineer) 

 

So I set up a local environment with an Active Directory ,DirSync, TMG (with proxy chaining) and federated a sub-domain with the cloud - the last one will be the focus of this post

The local environment consists of the following:

 

1.       Domain controller (contoso.com) with 5 users

2.       Sub-Domain controller (cont.contoso.com)with 5 users

3.       TMG (with proxy chaining)

4.       DirSync

5.       Client 1

6.       Client 2

 

The plan was to have the sub-domain (cont.contoso.com) federated with the cloud and to keep using the domain (contoso.com) un-federated.

 

In order to federate a domain, you will first have to deploy and configure ADFS 2.0 and DirSync. After you have done this, you need to install the

Microsoft Online Services Module for PowerShell. You will need these cmdlets to connect to your online account and to convert your domain to a federated domain (you can find the installer here: 32/64). I say convert, because I assume that you already added your domain to Office 365. When you convert a domain, automatically all users will become federated and will need to start logging in using their Active Directory credentials. Unfortunately the rollout of this feature cannot be performed in stages, therefore I advise you to do this during non-peak hours.

 

The problem encountered here, was the following:

 

I already added the vanity domain (contoso.com) to the cloud as well as the sub-domain (cont.contoso.com). When I ran the cmdlets to convert the sub-domain to a federated domain, I kept getting an error. Unfortunately I did not take a screenshot at that time and a repro would be too time consuming right now. Anyhow, the problem was that Office 365 does not allow you to federate  a sub-domain if you also have the domain added in the cloud. If you federate a domain, all the sub-domains will inherit the federation. If you want to federate only the sub-domain, as it was in this case, you need to only have the sub-domain added to your tenant.  

 

Very important: Before converting a standard domain to single sign on, make sure that you have at least one global administrator in your Office 365 tenant set on the *.onmicrosoft.com domain . If you don't have one, create one right now. By having this backup administrator, you are sure you can still access your tenant, no matter what happens to your vanity domain.

 

To convert a sub-domain to a SSO domain, you will have to do the following steps:

 

1.       Open the Microsoft Online Services Module .

2.       Run $cred=Get-Credential. When the cmdlet prompts you for credentials, type your Office 365 administration account credentials.

 

3.       Run Connect-MsolService -Credential $cred. This cmdlet connects you to Office 365. Creating a context that connects you to Office 365 is required before running any of the additional cmdlets installed by the tool.

$credCet—Credential cndlet Get—Credential at comnand pipeline position 1 Suppl9 values for the following paraneters Credential PS C:\windows\system32> Connect—MsolService —Credential $cred PS C:\windows\system32>" type="#_x0000_t75" o:spid="_x0000_i1026">

 

4.       Run Convert-MsolDomainToFederated -Sub-DomainName <domain> , where <domain> is the domain to be converted. This cmdlet changes the sub-domain from standard authentication to single sign-on.

 

…and make sure you have an active internet connection on the ADFS server. Without this, you will get an error in the MOSDAL report stating that the login token is not valid:

 

The AD FS token received is not valid until: 17/07/2012 16:47:41.

 

This is just one of the problems encountered while deploying a federated domain. I will post more on ADFS and SSO in the near future.