Jed Laundry

In my lab environment, I was trying to setup Okta as a federated subdomain. Specifically, the root domain uses the standard Managed authentication with Entra ID, and I wanted to have an Okta Classic tenancy using one subdomain, and an Okta OIE tenancy using a different subdomain.

With an Entra tenancy, having a different authentication on a subdomain is not a typical scenario, and there doesn't appear to be any way to configure this via the portal. So to configure this, there's a special trick:

What works, as of August 2024:

Note: I'm doing this from Azure Cloud Shell, so I don't need to Import-Module Microsoft.Graph.Identity.DirectoryManagement.

# First, create the subdomain
Connect-MgGraph -Scopes Directory.AccessAsUser.All
New-EntraDomain -Name subdomain.example.com

# Either the below, OR using Graph Explorer or similar, POST an empty body to https://graph.microsoft.com/v1.0/domains/subdomain.example.com/promote
Invoke-MgPromoteDomain -DomainId subdomain.example.com

# Finally, configure the Federation as per the Okta provided PowerShell snippet:
New-MgDomainFederationConfiguration -DomainId subdomain.example.com ...

What doesn't work

The old trick of using New-MsolDomain -Name subdomain.example.com -Authentication federated doesn't work anymore, and results in the error New-MsolDomain : Unable to add this domain. It is a subdomain and its authentication type is different from the authentication type of the root domain.

Using New-MgDomain -Id "subdomain.example.com" -AuthenticationType "Federated" results in the error New-MgDomain_CreateExpanded: Creation of federated domain is not allowed.

Using New-MSOLFederatedDomain -DomainName subdomain.example.com results in Azure Cloud Shell crashing. Trying from a VM results in New-MSOLFederatedDomain : Failed to connect to Active Directory Federation Services 2.0 on the local machine. Please try running Set-MsolADFSContext before running this command again.