Using an Entra subdomain for Federated authentication
In my lab environment, I was trying to setup Okta as a federated subdomain. Specifically, the root domain uses the standard Managed authentication with Entra ID, and I wanted to have an Okta Classic tenancy using one subdomain, and an Okta OIE tenancy using a different subdomain.
With an Entra tenancy, having a different authentication on a subdomain is not a typical scenario, and there doesn't appear to be any way to configure this via the portal. So to configure this, there's a special trick:
What works, as of August 2024:
Note: I'm doing this from Azure Cloud Shell, so I don't need to
Import-Module Microsoft.Graph.Identity.DirectoryManagement
.
# First, create the subdomain
Connect-MgGraph -Scopes Directory.AccessAsUser.All
New-EntraDomain -Name subdomain.example.com
# Either the below, OR using Graph Explorer or similar, POST an empty body to https://graph.microsoft.com/v1.0/domains/subdomain.example.com/promote
Invoke-MgPromoteDomain -DomainId subdomain.example.com
# Finally, configure the Federation as per the Okta provided PowerShell snippet:
New-MgDomainFederationConfiguration -DomainId subdomain.example.com ...
What doesn't work
The old trick of using New-MsolDomain -Name subdomain.example.com -Authentication federated
doesn't work anymore, and results in the error New-MsolDomain : Unable to add this domain. It is a subdomain and its authentication type is different from the authentication type of the root domain.
Using New-MgDomain -Id "subdomain.example.com" -AuthenticationType "Federated"
results in the error New-MgDomain_CreateExpanded: Creation of federated domain is not allowed.
Using New-MSOLFederatedDomain -DomainName subdomain.example.com
results in Azure Cloud Shell crashing. Trying from a VM results in New-MSOLFederatedDomain : Failed to connect to Active Directory Federation Services 2.0 on the local machine. Please try running Set-MsolADFSContext before running this command again.