Problem: Powershell m365 saml script not always working anymore

Knowledge Base Community
, , , ,
1

Problem:

Powershell m365 saml script, provided by our keycloak migration guide is not allways working anymore.
Possible errors are

--------------------------------------------------------
Possible error message are:
"You do not have permissions to call this cmdlet".

OR
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
In Zeile:1 Zeichen:103
+ ... on Managed; Set-MsolDomainAuthentication -DomainName mein-verifizierter-dom-name.de - ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

Solution:

Since March, 30 2024 Azure AD and MSOnline PowerShell modules are deprecated. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025

The following poweshell script should help to fix the connection.
Commands to be executed in advance

Install-Module PowerShellGet -Force
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force
# login 
Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

Now the federation part:

# CHANGE this according to your setup/environemt
$sso_url = "replace with SSO_URL"
$signing_cert = "replace with KEYCLOAK_CERTIFICATE"
$domain = "YOUR AZURE DOMAIN NAME"
$username = "YOUR AZURE DOMAIN ADMIN"
$password = "PASSWORD OF YOUR AZURE DOMAIN ADMIN"
$realm = "REALM OF CHOICE (usually ucs)"
# CHANGE end

#Configuration:
$issuer_uri = "$sso_url/realms/$realm"
$logon_uri = "$sso_url/realms/$realm/protocol/saml"
$passive_logon_uri = "$sso_url/realms/$realm/protocol/saml"
$logoff_uri = "$sso_url/realms/$realm/protocol/saml"
$pass = ConvertTo-SecureString -String "$password" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $pass
$o365cred = Get-Credential $credential
$Protocol = "saml"

#set existing domain to managed
Update-MgDomain -DomainId $domain -AuthenticationType "Managed"
# Federate
New-MgDomainFederationConfiguration `
-DomainId $domain `
-IssuerUri $issuer_uri `
-PassiveSignInUri $passive_logon_uri `
-PreferredAuthenticationProtocol $Protocol `
-SignOutUri $logoff_uri `
-SigningCertificate $signing_cert `
-FederatedIdpMfaBehavior "acceptIfMfaDoneByFederatedIdp"

# To check:
Get-MgDomainFederationConfiguration -DomainId $domain
Get-MgDomain

See also Bug 52413

1 Like