When registering a domain with office 365, it checks if there is a root domain available in the same office 365. If there is, then it sets a property on the child domain referencing the root and it will share the same authentication realm.
If the child domain is added before any root domain then this does not happen and they will have independent authentication realms. You can see this property in PowerShell using the commands below
$domain = “xxxxx”
$RootDomainOfChild = Get-MsolDomain -DomainName $domain
Currently, when authenticating to IAM Cloud if there is a child domain that is not part of the root domain then we will need to make a manual configuration change. For such an instance Please log a support ticket and a Support Engineer will assist you immediately.