cbdx2 (cbdx2) asked a question.
Currently, we have our Office 365 app on SWA and would like to move to WS-Federation.
In O365, our default domain is company.onmicrosoft.com. Our API integration is using a Global admin service account name@company.onmicrosoft.com and it's working fine. I go and switch the signon from SWA to WS-Federation using name@company.onmicrosoft.com and immediately I get the error message below. I tried typing in a bogus password for this account and still got the same error message. To me, this means it's not even authenticating the account and stopping it based on the domain of the account?
Please review the form to correct the following error(s):
- Please provide credentials for an Office 365 administrator who belongs to a separate domain than you are about to federate. If you do not have such user, please create an Office 365 user 'admin@yourcompany.onmicrosoft.com' that has the role 'Company Administrator'
I've tried switching to another O365 Global Admin account @companydomain.com and get the error message below.
Please review the form to correct the following error(s):
- Federating to the 'Default' domain is not allowed. Please change your Office 365 domain for this app. domain=partsauthority.onmicrosoft.com
So these are the facts that I've gather.
- You cannot federate a default O365. If you are trying to federate company.com, you need to default to company.onmicrosoft.com in O365.
- You should use a Global Admin account that is on a different domain than the one you are trying to federate.
I've been trying this for days! Please save my sanity and tell me what I'm doing wrong.
I was able to enable the ws-federation by changing the "Your Office 365 company domain". Like a dummy, I had it with the company.onmicrosoft.com.