This article relates to our Simple Sign-On (SSO) solution

When registering a domain with Office 365, it first checks if there is a root domain available in the same tenancy. If there is, then it sets a property on the child domain referencing the root and it will share the same authentication realm. 

However - if the child domain is added before any root domain then this does not happen and they will have independent authentication realms. You can see this property in PowerShell using the commands below


$domain = “xxxxx”

$RootDomainOfChild = Get-MsolDomain -DomainName $domain

Write-Host $RootDomainofChild.RootDomain


Currently, when authenticating to Office 365 via IAM Cloud if there is a child domain that is not part of the root domain then we will need to make a manual configuration change. 

Please contact for assistance, or if you have any questions.