MS365 Connector SSO Powershell Script does not succed

gwilhelm · June 30, 2023, 7:20am

Hi Forum, hi Univention Team,

I try to configure the UCS MS365 Connector. The last step, the execution of the SAML configurationscript for powershell does not succed.

The error message is:

Asking for Azure Administator credentials
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
In Zeile:1 Zeichen:103
+ ... on Managed; Set-MsolDomainAuthentication -DomainName mein-verifizierter-dom-name.de - ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

I have testet the connector succesfully before on the same UCS-Server, with a different (Test-)MS-tenant.

Could it be, that leftovers of the test are blocking something? I have deleted the test-Azure App in the test-MS-tenant, and to be sure i have now used a completely different DNS Domain, but no success.

The following things are already checked:

The DNS-domain is not the default domain for the MS-tenant
Powershell and .NET are OK
The MS-Account i use has the global-admin role in MS.
UCS SSO URL is reachable for the Windows-Client and TLS/SSL is Trusted.
Waited 24 hours (as the error message says “Try later…”)

Anyone any ideas?
Greetings from Gießen,
Gerd

peichert · June 30, 2023, 9:02am

Hey Gerd,

But it takes 30 days at Microsoft side to delete the entry, if I understood this article correctly:
→ How to: Restore or remove a recently deleted application with the Microsoft identity platform - Microsoft Entra | Microsoft Learn

The trick is to modify the “IssuerUri”, see
→ powershell - O365 Federation Setup - Set-MsolDomainAuthentication - "Unable to complete action. Try again later" message - Stack Overflow

HTH

Greeting
Andreas

gwilhelm · June 30, 2023, 9:48am

Hi Andreas,
thanks for your help. It seems as if that is my exact problem.
Can your give me a hint how to change that URI?
In the PS Script i have found

-IssuerUri "https://ucs-sso.mylocaldom.local/simplesamlphp/saml2/idp/metadata.php"

But if change it there i bet i will have to make the “new” uri work somehow in UCS.
Yours, Gerd

peichert · June 30, 2023, 11:27am

Its best, to fix that at the Azure end: Maybe you could change/remove/delete that Uri in the old “test-Azure App” (its an instant change) or permanently delete the App following the link from above (and wait for next cleanup in azure cloud)

I wasn’t very clear in my last post, sorry for that.

gwilhelm · June 30, 2023, 12:27pm

Thanks You very much!!
It working now. As you said, all i had to do was to remove all previously created azure “apps” from MS-Trashbin for apps.
Have a nice weekend!
Gerd