Promoting a Federated Subdomain to Root: Potential Consequences

Question

Current Setup:

We have an Entra ID tenant with an external primary domain (contoso.com) and its subdomain (sub.contoso.com).

Both domains are federated using a third-party Identity Provider (Opentext IAM) for Single Sign-On (SSO). As a result, when users attempt to authenticate with user@contoso.com or user@sub.contoso.com, they are redirected to the organization's SSO portal for authentication.

Objective:

We want to separate the federation settings for these domains, such that:

• Users from sub.contoso.com continue to be redirected to the SSO portal when signing into Microsoft services.
• Users from contoso.com authenticate directly through Entra ID when accessing Office 365, bypassing the third-party SSO provider.

Challenge:

According to Microsoft documentation, a subdomain cannot be federated unless the root domain is also federated. This is why both contoso.com and sub.contoso.com were federated together initially.

To split the authentication methods, we may need to promote sub.contoso.com to a root domain within Entra ID. This would allow us to:

• Retain federation for sub.contoso.com.
• Disable federation for contoso.com, so its users authenticate via Entra ID instead of the third-party SSO provider.

---

Questions:

Is promoting sub.contoso.com to a root domain and then disabling federation for contoso.com the correct approach to achieve this separation?

If we proceed with "unfederating" contoso.com and having its users authenticate through Entra ID instead of the third-party SSO provider, what are the potential consequences?

• Could this disrupt existing authentication flows?
  • What impact could it have on Office 365 and other Microsoft services?
    • Are there any additional configuration changes required to ensure a smooth transition?

Would appreciate any insights or considerations before implementing this change.