I'm trying to get SSO to work with Office 365 and Sharepoint online and I'm getting really confused. My internal domain is "internal.com" and my external name is "external.com". external.com is added as a domain in O365, but internal.com is not. Should I put internal.com on a external DNS server and add it as a domain in O365? Would that make it so my internal users wouldn't have to sign into external.sharepoint.com?
Office 365 SSO with different internal and external domain names
active-directoryadfsazure-active-directorymicrosoft-office-365single-sign-on
Related Solutions
This is pretty simple...
If your public DNS host provides forwarding you can simply create the base A record and have it forward to portal.microsoftonline.com.
If you don't have this ability just setup a simple new website on your public facing web servers or even proxy servers that hosts that domain name. Once you have that you can setup the IIS Rewrite Module to redirect requests to the Microsoft portal and it should do what you want.
We did this as well to provide a "customized" URL for users to access, not to mention any laptops could store the URL and it would work internally and externally, just with different authentication mechanisms.
Sample Rewrite:
https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=<YOUR FEDERATION SERVER>&wreply=https:%2f%2foutlook.com%2fowa%2foffice365.com%2f?exsvurl=1&ll-cc=en-US
The problem here is how Exchange itself works (O365):
However mails sent from inside office 365 addressed to users with accounts in 0ffice365 continued to appear in office 365 mailboxes, and are not routed to the mx mail server (google apps), and thus are not appearing in google apps mail mail boxes.
This is to be expected. Exchange isn't going to send email to an external MX record for example.com if their email address is bob@example.com associated with a mailbox on the Exchange Online Org for your Office 365 domain. The routing of the email will dictate that the user is local and should be treated as such.
You have a couple of options as I see it:
Option #1:
Assuming you are using 2 distinct email domains for O365 and Google Apps you could have individual mailboxes on O365 forward any incoming email to the external Google Apps domain. I know you said your MX records go to google apps so you are probably only using a single domain name, but you could look at forwarding it to their gmail associated address instead and then setting their primary email address for new emails and replies to their real company domain email address.
In this instance the example would be:
Email to bob@domain.com > google apps mx > Office 365 route > Office 365 forwards email for bob to bob@gmail.com > google apps receives email and delivers to Bob > when Bob replies he chooses to reply as bob@domain.com instead of bob@gmail.com
Option #2
Like O365 support said, you can look into setting up the Internet Relay Domain option. What they were referring to is called Shared SMTP Namespace. I've never done it with Google Apps, but the concept is the same with them overall I would presume.
However, the issue you are running into is probably because you have actual mailboxes instead of contact email addresses only for those users. They can't have actual mailboxes on the Exchange/O365 server itself, just an O365 user ID with a contact email address.
But you'll also have to setup such a thing on Google Apps side somehow to (again not familiar with how they do it)...because otherwise you'll end up with a loop. You'll need something on their side that says "check for mailbox and if not found send to O365".
The flow would work like:
External Email to bob@domain.com > google apps receives and checks for local mailbox. If found, deliver...if not > Office 365 route > O365 delivers to mailbox there.
Office365 user emails bob@domain.com > Office 365 finds no Exchange mailbox but does see bob@domain.com as a contact > Exchange Online has the Internet Relay Domain setup for domain.com and the next hop set back to send outbound to the MX record > google apps receives email and delivers to Bob's mailbox locally on Google Apps.
Again, you'll need to make sure that Google Apps knows to check for bob@domain.com mailbox locally before sending everything else on to O365. Otherwise it will cause a mail routing loop.
Hope that helps.
Best Answer
When you sync with Office 365 your internal domain must be a routable address and this should be assigned to users UPN suffix. When you sync users you will then use the same logon as you would internally (user@internal.com) to login to Office 365.
it's fine to have your Federated endpoint accessible from external.com (i.e. sts.external.com), as the server will be configured to talk to the internal systems. This won't change the name users will use to login.