Jun 10 2022 03:12 AM
Hi, folks.
This is a quick article intended to provide some more granularity on a specific topic relating to the Microsoft Docs article that outlines how to convert an Azure child domain from Federated (which is inherited from its parent domain) to Managed.
The Microsoft Docs reference article
The original problems with the Docs article
These problems relate specifically to the step immediately below the Change subdomain to a root domain heading, which is a POST request ending in "/promote".
Issue 2 is the reason I'm putting this additional information out here, though hopefully the official article will be updated so that it's actually navigable by the people most likely to read it.
Rather than repeating the details around issue 1, here's a link to the GitHub issue that provides the detail as well as screenshots.
All Microsoft gives you is the following abstract guidance relating to the /promote step. There's no guidance at all on how to authenticate or how to action the POST.
Where the intended audience is likely more familiar with using Microsoft's various suites of PowerShell modules, dealing natively with REST calls doesn't come naturally. This article aims to fill these gaps (hopefully temporarily.)
The steps below were actioned under Windows PowerShell 5.1 while authenticating against Azure AD using an account with Global Administrator membership.
You can install this module for just yourself or per device - it doesn't impact the following steps.
For yourself
Install-Module -Name Az.Accounts -Force;
For the device (aka all users)
(You will need to be running in an elevated PowerShell session for this to work)
Install-Module -Name Az.Accounts -Scope AllUsers -Force;
For reference, here's my list of domains, where the parent domain is underlined in green and the child I want to change is underlined in red (noting it's now showing as Managed where it was set to Federated prior.)
Now, onto the detail around the /promote step.
Most of these steps are basic, so I'll bunch up the commands to save space.
Here, we are simply authenticating to Azure AD and fetching a token for the graph.windows.net endpoint (not the more recent graph.microsoft.com endpoint!)
Connect-AzAccount -Tenant mytenant.onmicrosoft.com;
$AadToken = (Get-AzAccessToken -ResourceUri 'https://graph.windows.net').Token;
Now we are ready to action the vague POST reference from the Docs article.
# Invoke-RestMethod -Method Post -Headers @{Authorization="Bearer $($AadToken)"; "Content-Type"="application/json"} -Uri 'https://graph.windows.net/{your Tenant GUID goes here}/domains/{your child domain name goes here}/promote?api-version=1.6'
# For example:
Invoke-RestMethod -Method Post -Headers @{Authorization="Bearer $($AadToken)"; "Content-Type"="application/json"} -Uri 'https://graph.windows.net/e1e1000e-2fd9-4915-b086-b123ffa4321a/domains/child.mydomain.com/promote?api-version=1.6'
Obviously, you need to use your own tenant GUID and child domain references in that command.
The two key components here that do not feature in the Docs article are:
If you forget to include either, you will run into errors - as outlined in the GitHub issue linked above - and your child domain will not promote.
A successful promotion looks something like this:
If you receive this response then you can continue with the remaining steps from the Docs article - I won't go into detail other than to include a screenshot of them as confirmation they do work as described - sort of.
I say "sort of" because after the step above, my child domain changed from Federated to Managed meaning the Set-MsolDomainAuthentication wasn't necessary.
Still, here's the "official" process showing the Set-MsolDomainAuthentication step:
And finally, you can now use this child domain freely with Azure AD when creating new, Azure AD-native accounts.
Hopefully this helps until the Docs article is improved upon.
Cheers,
Lain