Move AD FS to trusted domain

Question

Hi

We need Device Registration for Hybrid Azure AD joined Windows Hello for Business (https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg#configure-device-authentication-in-ad-fs).

Environment:

• we have two domains, domain A and domain B
• domain A is like a resource domain, domain B is hosting all users and devices
• there is 2-way trust between domain A and domain b.
• AD FS Server is a member server in domain A.
• AD FS is named like "sts.xxxxx.com" (internal and external)

Now I get errors on AD FS server when I switch on "DeviceAuthentication" (Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken) to allow Device writeback and automatic device join. Device registration is configured in Domain B, not in Domain A.

This article describes how to use one AD FS server for multiple domains (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation). But it also makes clear that Device writeback and automatic device join are not supported in this scenario.

We want to move the existing AD FS Server from domain A to Domain B (unjoin from domain A and rejoin to domain B). We want to keep IP addresses and FQDN (sts.xxxxx.com).

• Do you have any idea if this works?
• What happens with the existing Claims Provider Trust to domain A?
• The service "Active Directory Federation Services" needs to be configured with a service account of domain B.
• What about AAD Connect? It is already configured and the server FQDN is used. Can it be switched?

Thanks a lot for your help.

Walter