Microsoft Azure AD Mailbag: Hybrid Identity and ADFS
Hey there, this is Ramiro Calderon from the Azure AD Customer Success Team. Remember us? We took a brief hiatus (sorry about that) but now we are back! I wanted to write up some answers to common AD FS questions we get in the context of hybrid identity with Azure AD. Let’s get into it.
I have multiple root domains in my on-premises environment and child domains on each of them (contoso.com, sales.contoso.com, fabrikam.com and procurement.fabrikam.com). How do I set the AD FS issuance rules for Azure AD?
You can do this in three steps:
1. Register Root Domains First (contoso.com and fabrikam.com), so you share the federation configuration with all subdomains
2. If you have multiple root domains, you must use the –SupportsMultipleDomains when configuring the rules. This will create the base ADFS rules that generate the issuer claim
3. We are not done quite yet. Now, we have to make sure the child domains get the issuer consistent with the configuration above. All child domains on *.contoso.com should have the issuer of http://contoso.com/adfs/services/trust and all child domains on *.fabrikam.com have to have the issuer of http://fabrikam.com/adfs/services/trust. Replace the default rule generated for the issuer claim and replace it with custom rules (one for each root domain, as shown below).
Read the entire article here, #Azure AD Mailbag: Hybrid Identity and ADFS
via the fine folks at Microsoft.