MS365 Connector SSO Powershell Script does not succed

Hi Forum, hi Univention Team,

I try to configure the UCS MS365 Connector. The last step, the execution of the SAML configurationscript for powershell does not succed.

The error message is:

Asking for Azure Administator credentials
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
In Zeile:1 Zeichen:103
+ ... on Managed; Set-MsolDomainAuthentication -DomainName - ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm

I have testet the connector succesfully before on the same UCS-Server, with a different (Test-)MS-tenant.

Could it be, that leftovers of the test are blocking something? I have deleted the test-Azure App in the test-MS-tenant, and to be sure i have now used a completely different DNS Domain, but no success.

The following things are already checked:

  • The DNS-domain is not the default domain for the MS-tenant
  • Powershell and .NET are OK
  • The MS-Account i use has the global-admin role in MS.
  • UCS SSO URL is reachable for the Windows-Client and TLS/SSL is Trusted.
  • Waited 24 hours (as the error message says “Try later…”)

Anyone any ideas?
Greetings from Gießen,

Hey Gerd,

But it takes 30 days at Microsoft side to delete the entry, if I understood this article correctly:
How to: Restore or remove a recently deleted application with the Microsoft identity platform - Microsoft Entra | Microsoft Learn

The trick is to modify the “IssuerUri”, see
powershell - O365 Federation Setup - Set-MsolDomainAuthentication - "Unable to complete action. Try again later" message - Stack Overflow



Hi Andreas,
thanks for your help. It seems as if that is my exact problem.
Can your give me a hint how to change that URI?
In the PS Script i have found

-IssuerUri "https://ucs-sso.mylocaldom.local/simplesamlphp/saml2/idp/metadata.php"

But if change it there i bet i will have to make the “new” uri work somehow in UCS.
Yours, Gerd

Its best, to fix that at the Azure end: Maybe you could change/remove/delete that Uri in the old “test-Azure App” (its an instant change) or permanently delete the App following the link from above (and wait for next cleanup in azure cloud)

I wasn’t very clear in my last post, sorry for that.

Thanks You very much!!
It working now. As you said, all i had to do was to remove all previously created azure “apps” from MS-Trashbin for apps.
Have a nice weekend!