Change subdomain authentication type in Azure Active Directory

Question

Change subdomain authentication type in Azure Active Directory

Katsuya 41

[Background]
I’d like to change my sub-domain to root-domain and apply different authentication settings to each domain.
ex) root domain: federated
sub domain: managed

I think this setting (URL:https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-verify-custom-subdomain) is how to change subdomain to root domain.

[Question]

Does this setting(subdomain -> rootdomain) affect anywhere other than authentication settings? ex) exo, teams, spo, onedrive, etc.
If I find some problems after applying this setting, I’d like to rollback. How can I rollback this setting? (rootdomain -> subdomain)

Accepted answer

0 additional answers

Your answer

Answer 1

Hi @Katsuya · Thank you for reaching out.

Yes, below graph call promotes subdomain to root domain:

POST https://graph.windows.net/{tenant_id}/domains/child.mydomain.com/promote?api-version=1.6

Does this setting(subdomain -> root domain) affect anywhere other than authentication settings? ex) exo, teams, spo, onedrive, etc.

Only promoting subdomain to root domain won't affect anything. Once you change authentication settings, authentication for all users with subdomain in their UPN suffix will be changed everywhere including exo, teams, spo, onedrive as all these apps get authenticated from Azure AD. Apart from authentication settings, nothing will be changed.

If I find some problems after applying this setting, I’d like to rollback. How can I rollback this setting? (root domain -> subdomain)

Once a subdomain is promoted as root domain, you cannot demote it. The only option would be to remove the subdomain and add it back using new-msoldomain -Name aad.cloud365.in -Authentication federated command. Make sure the Authentication type matches with the one configured for the root domain. If you specify different authentication method, you will get Unable to add this domain. It is a subdomain and its authentication type is different from the authentication type of the root domain error.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Katsuya 41 Reputation points

2021-07-08T08:04:53.857+00:00

Thank you for your answer! I understand.
Scott Pratz 1 Reputation point

2021-10-20T17:17:20.243+00:00

Good afternoon @AmanpreetSingh-MSFT !

Reading this is really helping us- curious to know if you can have the same authentication TYPE (federated), with different settings without promoting a subdomain. It appears that to have DIFFERENT auth methods requires it, but I can't really determine if this is the case for same auth method, but different settings:

contoso.com - FEDERATED with Set-MsolDomainAuthentication running with different variable than
child.contoso.com - FEDERATED with Set-MsolDomainAuthentication with different cert and URI and etc.

can Set-MsolDomainAuthentication be run independently on the parent and child without the parent overwriting the child?

Thanks!

Share via

Change subdomain authentication type in Azure Active Directory

0 additional answers

Your answer