Adding Additional Azure AD Domain to AD FS with Azure AD Connect

As time continues to drag on, companies may add domains that they wish to federate with the same tenant.  This such situation happens quite frequently in my business, so I figure it makes good content for a post.  This is going to be a pretty short and quick one, so I am going to assume that your new domain is already added to the O365 tenant and as a UPN suffix in AD.

As you can likely tell by now, I do a lot of work with hybrid environments using Azure AD Connect.  That being said, we’ll start today by opening Azure AD Connect and selecting the “Add an additional Azure AD domain” from the options presented.

The rest is pretty simple.  Throw in your O365 Global Admin creds, then your Domain Admin creds, and select the domain you wish to add.  It’ll take a second and wha-lah you are 50% done.

Now open up your AD FS Management console on your AD FS server.  Expand Trust Relationships, select Relying Party Trusts, right click Microsoft Office 365 Identity Platform, and select Edit Claim Rules.

Under Issuance Transform Rules, select Issue issuerid when it is not a computer account and select the Edit Rule option.

In the Custom rule section you will see something similar to the following:

Find your domain section, and simply follow the convention to add an additional domain (domain3 in the following example):

Click your way out and you are all set!  Do note that if you do not add the domain to the rule as described above, users will receive an error similar to:

AADSTS50107: Requested federation realm object ‘user@domain.com’ does not exist.