This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 89%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
-Hybrid Azure tenant -Fortiauthenticator MFA(SAML through federated domain in Azure, not in AD)
My MFA broke the other day when I was setting a new configuration. The UI informed me that our current cert to our federated domain is out of date and since I had made changes, it would not allow it to save without a valid cert. I found the new cert and changed it in Fortiauth. Then, I went to go change it for our federated domain and ran the following powershell cmdlets: Get-MSOLDomainFederationSettings
-This showed me the old certificate was definitely still in use and showed my federated domain.
Set-MsolDomainFederationSettings
-Added the new cert and all domain information, no error.
Confirm-MsolDomain
-Error: confirm-Unable to verify this domain because it is used elsewhere in office 365. Remove the verified domain from the other service before adding it here.
Get-MSOLDomainFederationSettings
-Old cert still in place despite Set-MsolDomainFederationSettings giving no error.
Our domain(ie: contoso.com) is federated and verified in our tenant. However, when our tenant was created, they set it as a different name(ie: contosoonline.onmicrosoft.com). I am new to the company but previously, users were given carte blanche to do what they wanted. It seems like someone maybe made a tenant with the federated domain(ie: contoso.onmicrosoft.com). I tried the PowerBI trial trick to get the "rogue tenant"(https://learn.microsoft.com/en-us/entra/identity/users/domains-admin-takeover)"learn.microsoft.com") but it never gave me access and only assigned me back to our current tenant. So now I need to update the certificate at the very least, but also reclaim the tenant. I'm currently sitting on hold for 3 hours with Microsoft support waiting for any assistance, but I'm hoping someone else might have an idea to help me.
Also.. I would like to move our MFA off this and to an Enterprise App(Whoever did this as a federated is on my list) but I can't at this time without breaking everyone.
And we do NOT have a ADFS.
Additional Information: Domain is marked as verified in Azure. Also was TXT and CName verified in M365, but not MX as we have proofpoint for email security and it has to be lower priority.
Waiting 5 hours in call queue and had to end call, so no resolution there.