Support
 
PhoneGet Quote
 
Support
 
US Sales: +1 888 720 9500
US Support: +1 844 245 1108
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9890

 
 

How to change subdomain authentication type in Microsoft Entra ID (formerly Azure Active Directory)

Once a root domain is added to your Microsoft Entra ID, any subsequent subdomains added within your Microsoft Entra organization will automatically adopt the authentication settings inherited from the root domain. But now, you can manage the authentication settings independently from the root domain settings using Microsoft Graph API.

As subdomains inherently adopt the authentication type of the root domain, it is necessary to elevate the subdomain to the status of a root domain within Microsoft Entra ID through the Microsoft Graph. This enables you to customize the authentication type according to your preferences.

To add a subdomain:

  1. Add a new subdomain, which has its root domain's default authentication type, using PowerShell. 
    Connect-MgGraph -Scopes "Domain.ReadWrite.All"
$param = @{
id="test.contoso.com"
AuthenticationType="Federated"  
}
New-MgDomain -Name "child.mydomain.com" -Authentication Federated
     Copied

    Click to copy entire script

  2. Use the provided example to retrieve the domain via GET request. Since the domain is not designated as a root domain, it automatically inherits the authentication type set for the root domain. 
        GET https://graph.microsoft.com/v1.0/domains/foo.contoso.com/
    Return:
    {
        "authenticationType": "Federated",
        "availabilityStatus": null,
        "isAdminManaged": true,
        "isDefault": false,
        "isDefaultForCloudRedirections": false,
        "isInitial": false,
        "isRoot": false,          <---------------- Not a root domain, so it inherits parent domain's authentication type (federated)
        "isVerified": true,
        "name": "child.mydomain.com",
        "supportedServices": [],
        "forceDeleteState": null,
        "state": null,
        "passwordValidityPeriodInDays": null,
        "passwordNotificationWindowInDays": null
    },
     Copied

    Click to copy entire script

To change the subdomain to a root domain:

    POST https://graph.microsoft.com/v1.0/{tenant-id}/domains/foo.contoso.com/promote
 Copied

Click to copy entire script

To change the subdomain authentication type to managed:

  1. Use this command to change the subdomain authentication type: 
        Update-MgDomain -DomainId "test.contoso.com" -BodyParameter @{AuthenticationType="Managed"}
     Copied

    Click to copy entire script

  2. Confirm through a GET request in the Microsoft Graph API that the authentication type for the subdomain is now under management. 
        GET https://graph.microsoft.com/v1.0/domains/foo.contoso.com/
    Return:
      {
          "authenticationType": "Managed",   <---------- Now this domain is successfully added as Managed
          and not inheriting Federated status
          "availabilityStatus": null,
          "isAdminManaged": true,
          "isDefault": false,
          "isDefaultForCloudRedirections": false,
          "isInitial": false,
          "isRoot": true,   <------------------------------ Also a root domain, so not inheriting from parent domain any longer
          "isVerified": true,
          "name": "child.mydomain.com",
          "supportedServices": [
              "Email",
              "OfficeCommunicationsOnline",
              "Intune"
          ],
          "forceDeleteState": null,
          "state": null,
          "passwordValidityPeriodInDays": null,
          "passwordNotificationWindowInDays": null }
     Copied

    Click to copy entire script

About M365 Manager Plus

ManageEngine M365 Manager Plus is a Microsoft 365 reporting, auditing, management and monitoring tool. With M365 Manager Plus, you can:

  • Keep an eye on your Microsoft services with intuitive reports that can be easily scheduled, mailed, and exported in various formats.
  • Audit all the user and admin activities in your organization with detailed audit reports.
  • Manage users, groups, contacts, licenses, mailboxes, and more with bulk management tasks that can be automated.
  • Assign delegated tasks to technicians without elevating their native privileges.
  • Constantly monitor the health and performance of your organization.
  • Reduce your administrator's workload by delegating custom roles to help desk technicians.

Manage your Microsoft 365 services from a single console.

Try now for free
  • Streamline your Microsoft 365 governance and administration with M365 Manager Plus
  • Get Your Free Trial

Related Resources

A holistic Microsoft 365 administration and security solution
HighlightsReportingAuditingManagementMonitoringRelated products
 
x