Direct Inward Dialing: +1 408 916 9890
Once a root domain is added to your Microsoft Entra ID, any subsequent subdomains added within your Microsoft Entra organization will automatically adopt the authentication settings inherited from the root domain. But now, you can manage the authentication settings independently from the root domain settings using Microsoft Graph API.
As subdomains inherently adopt the authentication type of the root domain, it is necessary to elevate the subdomain to the status of a root domain within Microsoft Entra ID through the Microsoft Graph. This enables you to customize the authentication type according to your preferences.
To add a subdomain:
Connect-MgGraph -Scopes "Domain.ReadWrite.All" $param = @{ id="test.contoso.com" AuthenticationType="Federated" } New-MgDomain -Name "child.mydomain.com" -Authentication Federated
GET https://graph.microsoft.com/v1.0/domains/foo.contoso.com/ Return: { "authenticationType": "Federated", "availabilityStatus": null, "isAdminManaged": true, "isDefault": false, "isDefaultForCloudRedirections": false, "isInitial": false, "isRoot": false, <---------------- Not a root domain, so it inherits parent domain's authentication type (federated) "isVerified": true, "name": "child.mydomain.com", "supportedServices": [], "forceDeleteState": null, "state": null, "passwordValidityPeriodInDays": null, "passwordNotificationWindowInDays": null },
To change the subdomain to a root domain:
POST https://graph.microsoft.com/v1.0/{tenant-id}/domains/foo.contoso.com/promote
To change the subdomain authentication type to managed:
Update-MgDomain -DomainId "test.contoso.com" -BodyParameter @{AuthenticationType="Managed"}
GET https://graph.microsoft.com/v1.0/domains/foo.contoso.com/ Return: { "authenticationType": "Managed", <---------- Now this domain is successfully added as Managed and not inheriting Federated status "availabilityStatus": null, "isAdminManaged": true, "isDefault": false, "isDefaultForCloudRedirections": false, "isInitial": false, "isRoot": true, <------------------------------ Also a root domain, so not inheriting from parent domain any longer "isVerified": true, "name": "child.mydomain.com", "supportedServices": [ "Email", "OfficeCommunicationsOnline", "Intune" ], "forceDeleteState": null, "state": null, "passwordValidityPeriodInDays": null, "passwordNotificationWindowInDays": null }
ManageEngine M365 Manager Plus is a Microsoft 365 reporting, auditing, management and monitoring tool. With M365 Manager Plus, you can:
Manage your Microsoft 365 services from a single console.
Try now for free