The case was corp.contoso.com was federated but top level contoso.com wasn't.
Procedure followed was:
- Open powershell with administrative privilege.
- Connect-Msolservice as the global administrator of "xxxx.onmicrosoft.com" domain. It will not let you federate if you login as contoso.com global admin
- Get-MsolDomainFederationSettings -DomainName <your domain> for both contoso.com and corp.contoso.com to see the current federation settings. Notice the IssuerUri. Contoso.com shouldn't return anything since not federated.
- Set-MsolADFSContext -computer <your adfs server-primary>
- Convert-MsolDomaintoFederated -DomainName contoso.com -SupportMultipleDomain
- Get-MsolDomainFederationSettings -DomainName <your domain> for both contoso.com and corp.contoso.com to see the current federation settings. Notice the IssuerUri. Both contoso and corp.contoso returns federation settings with different issueruri.
- Change the UPN claims rule in adfs to
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, "^.@([^.]+.)?(?<domain>([^.]+.?){2})$", "http://${domain}/adfs/services/trust/"));
This worked.
Reference article:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains