New-MgDomainFederationConfiguration is failing with 409

Ladislav Čapka 0 Reputation points
2024-12-12T10:20:25.3433333+00:00

It seems that New-MgDomainFederationConfiguration is broken. We need to set federation for a domain which is what this command used to work in past.

Now. We registered a new Entra, registered a new domain and set all the verification things. We added the domain to the Entra and finally we need to set it as federated to be able to use our sign-on IdP.

We are using following commands:

Connect-MgGraph `
 -Scopes 'Directory.ReadWrite.All Domain.ReadWrite.All Directory.AccessAsUser.All' `
-TenantId $tenant_id
New-MgDomainFederationConfiguration `
 -DomainId REDACTED `
 -ActiveSignInUri "https://REDACTED/saml/v2/SSO" `
 -DisplayName "REDACTED" `
 -IssuerUri "https://REDACTED/saml/v2/metadata" `
 -MetadataExchangeUri "https://REDACTED/saml/v2/metadata" `
 -PassiveSignInUri "https://REDACTED/saml/v2/SSO" `
 -SignOutUri "https://REDACTED/saml/v2/SLO" `
 -SigningCertificate "REDACTED" `
 -FederatedIdpMfaBehavior "rejectMfaByFederatedIdp" `
 -PreferredAuthenticationProtocol "saml" | Format-List

When we check the status of the domain it looks good. Domain is verified, in MANAGED so NOT FEDERATED. All looks good here.

image

But no. Microsoft magically decides that 'Resource already exists'. See below. We tried to delete the domain from Entra at all, resign-in to Microsoft Graph API, readd domain and verify it again against DNS but the result is always the same. Moreover, Microsoft then returns that the domain is federated! But in another command it says it is actually not.

Screenshot 2024-12-12 at 11.10.11

At this point it's impossible to run Remove-MgDomainFederationConfiguration because this command needs InternalFederationId yet this value can't be gathered because Get-MgDomainFederationConfiguration returns the error. So the only option is to deleted whole domain from Entra. We tried to delete everything but no luck here. What the hell? Is there any voodoo wizard who could unspell this black magic craziness?

Thank you.

New-MgDomainFederationConfiguration_CreateExpanded: Resource already exists.
Status: 409 (Conflict)
ErrorCode: Request_MultipleObjectsWithSameKeyValue
Date: 2024-12-12T09:58:54
Headers:
Cache-Control                 : no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : a3068c87-1f8d-4af1-9088-164f8d45674f
client-request-id             : f6859ef4-c990-47ca-8f38-6b3794a44cfa
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Germany West Central","Slice":"E","Ring":"4","ScaleUnit":"000","RoleInstance":"FR1PEPF0000107E"}}
x-ms-resource-unit            : 1
Date                          : Thu, 12 Dec 2024 09:58:54 GMT
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,282 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,649 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Raja Pothuraju 10,040 Reputation points Microsoft Vendor
    2024-12-17T02:46:51.92+00:00

    Hello @Ladislav Čapka,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems you are trying to federate your domain with Google IDP by running a PowerShell command. I hope you are referring to the following documents:

    Configure Microsoft Entra ID as a Service Provider (SP) for Google Workspace

    Set up single sign-on (SSO) between Google Workspace and Office

    Regarding the error: New-MgDomainFederationConfiguration_CreateExpanded: Resource already exists. Status: 409 (Conflict) ErrorCode: Request_MultipleObjectsWithSameKeyValue,

    The error Request_MultipleObjectsWithSameKeyValue typically indicates that the IssuerURI provided in the command is already in use, either in another domain within your tenant or in a different tenant. IssuerURIs must be globally unique.

    The IssuerID is the identifier set by the Identity Provider (Google in this case) in the token passed to Entra. Entra uses this IssuerID to locate the tenant-domain and retrieve the signing certificates required for signature validation. To address this, you will need to modify the Identity Provider's configuration to issue a custom IssuerID. Check with Google to generate a custom IssuerID. After making this adjustment to the IssuerURI, you should be able to proceed with the federation.

    If your domain status is currently set to Federated, you can convert it to Managed using the following PowerShell commands:

    Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
    Update-MgDomain -DomainId <domain name> -AuthenticationType "Managed"
    Get-MgDomain -DomainId yourdomain.com
    

    For detailed steps, refer to this document: Migrate from Federation to Cloud Authentication.

    Once the domain is in a Managed state, re-run the PowerShell command with a unique IssuerID and monitor the results. If the issue persists or you encounter additional errors, feel free to share the details for further assistance.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


  2. Ed Englefield 0 Reputation points
    2024-12-23T16:01:42.57+00:00

    We had the same issue. Microsoft support had no idea what was going on, but the issue results from:

    1. A bug in the Microsoft Graph API which marks a domain as federated prior to a federation configuration being made. When the configuration is invalid when the underlying internal API call is made, there is no failsafe. This makes it impossible for the Graph API to ever update, delete or
    2. Entra ID federation identifies a configuration by the entityID. With Google Workspace, this is always the same, as it's linked to your tenant.

    Because of this, you may find your config worked for one domain, but running it again resulted in this 409 error:

    New-MgDomainFederationConfiguration_CreateExpanded: Resource already exists.
    
    Status: 409 (Conflict)
    ErrorCode: Request_MultipleObjectsWithSameKeyValue
    Date: 2024-12-23T15:13:51
    
    

    If you cannot use Update-MgDomain -DomainId <domain name> -AuthenticationType "Managed" to reset the configuration (due to the bug in the Graph API), use Windows Powershell (not Powershell core) and run:

    Install-Module MSOnline
    Connect-MsolService
    Set-MsolDomainAuthentication -DomainName <domain> -Authentication Managed
    
    

    To fix the issue:
    Open your SAML configuration XML file and find every URL. Change the last part of the string for each subsequent domain: &#038;a
    For Google Workspace, it might look like this:

    https://accounts.google.com/o/saml2?idpid=xxxxxxxx
    

    Then, append &a to the end, like this (or any string you like)

    https://accounts.google.com/o/saml2?idpid=xxxxxxxx&#038;a
    

    This will resolve the duplication issue, and you'll be able to create the configuration.

    Hope this helped.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.