Adding Subdomain to Entra ID but gets set automatically as federated.

Copper Contributor

I have a customer that is trying to added a subdomain (subdomain.contoso.com) to entra id for cloud only user accounts. Curranty they have the root domain (contoso.com) syncing from onprem AD that is federated but this subdomain should not be tied back to that domain. 

 

I have tried these scripts with only errors. 

 

Set-MsolDomainAuthentication -DomainName subdomain.domain.edu -Authentication managed.

***********

Connect-AzureAD

New-AzureADDomain -Name subdomain.domain.edu

 

Connect-MgGraph -Scopes Domain.ReadWrite.All

Update-MgDomain -DomainId subdomain.domain.edu -BodyParameter @{isRoot=$true} 

 

ERROR - Update-MgDomain : isRoot property is read-only.

***********

Any assistance with this would be appreciated.

4 Replies
The authentication method is tied to the parent domain. Read here: https://www.enowsoftware.com/solutions-engine/azure-active-directory-center/using-selective-authenti...

Using the New-MsolDomain cmdlet should help here (you might have to specify -Authentication). Afaik it's not deprecated just yet, at least the corresponding support article is still up: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/new-msoldomain-cmdle-add-subdo...

@Kidd_Ip 

 

I tried this before and this was the error I received. 

 

Update-MgDomain : Domain operation is not allowed.
At line:1 char:1
+ Update-MgDomain -DomainId "subdomain.domain.edu" -BodyParameter @{Authen ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ DomainId = re...tGraphDomain1 }:<>f__AnonymousType90`2) [Update-MgD
omain_Update1], RestException`1
+ FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgDomain_Update1

 

 

As I stated this has been resolved after using the information from this link. https://learn.microsoft.com/en-us/graph/api/domain-promote?view=graph-rest-1.0&tabs=http