{
	"id": "a43dccb0-bc12-44fb-8e1b-d0f05328dd41",
	"created_at": "2026-04-06T00:13:12.778005Z",
	"updated_at": "2026-04-10T03:21:06.860876Z",
	"deleted_at": null,
	"sha1_hash": "c81d0ffd99da24a4e0240640c1d42dfb6061a9c0",
	"title": "Update or repair settings of a federated domain in Microsoft 365, Azure, or Intune - Microsoft 365 Admin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64728,
	"plain_text": "Update or repair settings of a federated domain in Microsoft 365,\r\nAzure, or Intune - Microsoft 365 Admin\r\nBy Cloud-Writer\r\nArchived: 2026-04-05 18:11:54 UTC\r\nIntroduction\r\nSingle sign-on (SSO) in a Microsoft cloud service such as Microsoft 365, Microsoft Azure, or Microsoft Intune\r\ndepends on an on-premises deployment of Active Directory Federation Services (AD FS) that functions correctly.\r\nSeveral scenarios require rebuilding the configuration of the federated domain in AD FS to correct technical\r\nproblems. This article contains step-by-step guidance on how to update or to repair the configuration of the\r\nfederated domain.\r\nMore information\r\nHow to update the configuration of the federated domain\r\nThe configuration of the federated domain has to be updated in the scenarios that are described in the following\r\nMicrosoft Knowledge Base articles.\r\n2713898 \"There was a problem accessing the site\" error from AD FS when a federated user signs in to\r\nMicrosoft 365, Azure, or Intune\r\n2535191 \"\"Sorry, but we're having trouble signing you in\" and \"80048163\" error when a federated user\r\ntries to sign in to Microsoft 365, Azure, or Intune\r\n2647020 \"Sorry, but we're having trouble signing you in\" and \"80041317\" or \"80043431\" error when a\r\nfederated user tries to sign in to Microsoft 365, Azure, or Intune\r\nNote\r\nAzure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the\r\ndeprecation update. After this date, support for these modules are limited to migration assistance to Microsoft\r\nGraph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30\r\n2025.\r\nWe recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure\r\nAD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may\r\nexperience disruption after June 30, 2024.\r\nhttps://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365\r\nPage 1 of 4\n\nTo update the configuration of the federated domain on a domain-joined computer that has Azure Active Directory\r\nmodule for Windows PowerShell installed, follow these steps:\r\n1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure\r\nActive Directory module for Windows PowerShell.\r\n2. At the command prompt, type the following commands, and press Enter after each command:\r\n$cred = get-credential\r\nNote\r\nWhen you're prompted, enter your cloud service administrator credentials.\r\nConnect-MSOLService –credential:$cred\r\nSet-MSOLADFSContext –Computer: \u003cAD FS 2.0 ServerName\u003e\r\nNote\r\nIn this command, the placeholder \u003cAD FS 2.0 Server Name\u003e represents the Windows host name of the\r\nprimary AD FS server.\r\nUpdate-MSOLFederatedDomain –DomainName: \u003cFederated Domain Name\u003e\r\nor\r\nUpdate-MSOLFederatedDomain –DomainName: \u003cFederated Domain Name\u003e –supportmultipledomain\r\nNote\r\nUsing the –supportmultipledomain switch is required when multiple top-level domains are federated\r\nby using the same AD FS federation service.\r\nIn these commands, the placeholder \u003cFederated Domain Name\u003e represents the name of the\r\ndomain that is already federated.\r\nImportant\r\nA script is available to automate the update of federation metadata regularly to make sure that changes to the AD\r\nFS token signing certificate are replicated correctly.\r\nThe script creates a Windows scheduled task on the primary AD FS server to make sure that changes to the AD FS\r\nconfiguration such as trust info, signing certificate updates, and so on are propagated regularly to the Microsoft\r\nEntra ID.\r\nhttps://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365\r\nPage 2 of 4\n\nIf the token-signing certificate is automatically renewed in an environment where the script is implemented, the\r\nscript will update the cloud trust info to prevent downtime that is caused by out-of-date cloud certificate info.\r\nHow to repair the configuration of the federated domain\r\nThe configuration of the federated domain has to be repaired in the scenarios that are described in the following\r\nMicrosoft Knowledge Base articles.\r\n2523494 You receive a certificate warning from AD FS when you try to sign in to Microsoft 365, Azure, or\r\nIntune\r\n2618887 \"Federation service identifier specified in the AD FS 2.0 server is already in use.\" error when you\r\ntry to set up another federated domain in Microsoft 365, Azure, or Intune\r\n2713898 \"There was a problem accessing the site\" error from AD FS when a federated user signs in to\r\nMicrosoft 365, Azure, or Intune\r\n2647020 \"Your organization could not sign you in to this service\" error and \"80041317\" or \"80043431\"\r\nerror code when a federated user tries to sign in to Microsoft 365\r\nThe Federation Service name in AD FS is changed.\r\nTo repair the federated domain configuration on a domain-joined computer that has Azure Active Directory\r\nmodule for Windows PowerShell installed, follow these steps.\r\nWarning\r\nThe following procedure removes any customizations that are created by limiting access to Microsoft 365\r\nservices by using the location of the client. After the configuration of the federated domain is repaired, you\r\nmay have to reconfigure limited AD FS access.\r\nThe following steps should be planned carefully. Users for whom the SSO functionality is enabled in the\r\nfederated domain will be unable to authenticate during this operation from the completion of step 4 until\r\nthe completion of step 5. If the update-MSOLFederatedDomain cmdlet test in step 1 is not followed\r\nsuccessfully, step 5 will not finish correctly. Federated users will be unable to authenticate until the update-MSOLFederatedDomain cmdlet can be run successfully.\r\n1. Run the steps in the \"How to update the federated domain configuration\" section earlier in this article to\r\nmake sure that the update-MSOLFederatedDomain cmdlet finished successfully.\r\nIf the cmdlet did not finish successfully, do not continue with this procedure. Instead, see the\r\n\"Known issues that you may encounter when you update or repair a federated domain\" section later\r\nin this article to troubleshoot the issue.\r\nIf the cmdlet finishes successfully, leave the Command Prompt window open for later use.\r\n2. Log on to the AD FS server. To do this, click Start, point to All Programs, point to Administrative Tools,\r\nand then click AD FS (2.0) Management.\r\n3. In the left navigation pane, click AD FS (2.0), click Trust Relationships, and then click Relying Party\r\nTrusts.\r\n4. In the rightmost pane, delete the Microsoft Office 365 Identity Platform entry.\r\nhttps://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365\r\nPage 3 of 4\n\n5. In the Windows PowerShell window that you opened in step 1, re-create the deleted trust object. To do this,\r\nrun the following command, and then press Enter:\r\nUpdate-MSOLFederatedDomain -DomainName \u003cFederated Domain Name\u003e\r\nor\r\nUpdate-MSOLFederatedDomain –DomainName:\u003cFederated Domain Name\u003e –supportmultipledomain\r\nNote\r\nUsing the –supportmultipledomain switch is required when multiple top-level domains are federated\r\nby using the same AD FS federation service.\r\nIn these commands, the placeholder \u003cFederated Domain Name\u003e represents the name of the\r\ndomain that is already federated.\r\nKnown issues that you may encounter when you update or repair a federated domain\r\nThe following scenarios cause problems when you update or repair a federated domain:\r\nYou can't connect by using Windows PowerShell. For more info about this issue, see the following\r\nMicrosoft Knowledge Base article:\r\n2494043 You cannot connect by using the Azure Active Directory module for Windows PowerShell\r\nThe Azure Active Directory module for Windows PowerShell can't load because of missing prerequisites.\r\nFor more info, see the following Microsoft Knowledge Base article:\r\n2461873 You can't open the Azure Active Directory module for Windows PowerShell\r\nYou get an \"Access Denied\" error message when you try to run the set-MSOLADFSContext cmdlet. For\r\nmore info, see the following Microsoft Knowledge Base article:\r\n2587730 \"The connection to \u003cServerName\u003e Active Directory Federation Services 2.0 server failed\" error\r\nwhen you use the Set-MsolADFSContext cmdlet\r\nStill need help? Go to Microsoft Community or the Microsoft Entra Forums website.\r\nSource: https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365\r\nhttps://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365"
	],
	"report_names": [
		"update-federated-domain-office-365"
	],
	"threat_actors": [],
	"ts_created_at": 1775434392,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c81d0ffd99da24a4e0240640c1d42dfb6061a9c0.pdf",
		"text": "https://archive.orkl.eu/c81d0ffd99da24a4e0240640c1d42dfb6061a9c0.txt",
		"img": "https://archive.orkl.eu/c81d0ffd99da24a4e0240640c1d42dfb6061a9c0.jpg"
	}
}