Federate multiple instances of Microsoft Entra ID with single instance of AD FS
A single high available AD FS farm can federate multiple forests if they have 2-way trust between them. These multiple forests may or may not correspond to the same Microsoft Entra ID. This article provides instructions on how to configure federation between a single AD FS deployment and multiple instances of Microsoft Entra ID.
Note
Device writeback and automatic device join are not supported in this scenario.
Note
Microsoft Entra Connect cannot be used to configure federation in this scenario as Microsoft Entra Connect can configure federation for domains in a single Microsoft Entra ID.
Steps for federating AD FS with multiple Microsoft Entra ID
Consider a domain contoso.com in Microsoft Entra contoso.partner.onmschina.cn is already federated with the AD FS on-premises installed in contoso.com on-premises Active Directory environment. Fabrikam.com is a domain in fabrikam.partner.onmschina.cn Microsoft Entra ID.
Step 1: Establish a two-way trust
For AD FS in contoso.com to be able to authenticate users in fabrikam.com, a two-way trust is needed between contoso.com and fabrikam.com. Follow the guideline in this article to create the two-way trust.
Step 2: Modify contoso.com federation settings
The default issuer set for a single domain federated to AD FS is "http://ADFSServiceFQDN/adfs/services/trust", for example, http://fs.contoso.com/adfs/services/trust
. Microsoft Entra ID requires unique issuer for each federated domain. Because AD FS is going to federate two domains, the issuer value needs to be modified so that it is unique.
Note
Azure AD Powershell is planned for deprecation on March 30, 2024. To learn more, read the deprecation update.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). Microsoft Graph PowerShell allows access to all Microsoft Graph APIs and is available on PowerShell 7. For answers to common migration queries, see the Migration FAQ.
On the AD FS server, open Azure AD PowerShell (ensure that the MSOnline module is installed) and do the following steps:
Connect to the Microsoft Entra ID that contains the domain contoso.com
.
Connect-MsolService -AzureEnvironment AzureChinaCloud
Update the federation settings for contoso.com
:
Update-MsolFederatedDomain -DomainName contoso.com -SupportMultipleDomain
Issuer in the domain federation setting will be changed to http://contoso.com/adfs/services/trust
and an issuance claim rule will be added for the Microsoft Entra ID Relying Party Trust to issue the correct issuerId value based on the UPN suffix.
Step 3: Federate fabrikam.com with AD FS
In Azure AD PowerShell session perform the following steps: Connect to Microsoft Entra ID that contains the domain fabrikam.com
Connect-MsolService -AzureEnvironment AzureChinaCloud
Convert the fabrikam.com managed domain to federated:
Convert-MsolDomainToFederated -DomainName fabrikam.com -Verbose -SupportMultipleDomain
The above operation will federate the domain fabrikam.com with the same AD FS. You can verify the domain settings by using Get-MsolDomainFederationSettings for both domains.