Creation of account in AAD if domain is federated allowed?

AzureAddict 26 Reputation points
2020-08-13T08:54:16.043+00:00

Hello all

I have global admins in AAD but I can't see the domain name I want in the drop down when I create a new user. I checked custom domains and I can see the domain I want to use is verified. It is is federated and perhaps this s the issue? I must admit I've never had to create a new account using federated before and it looks like the issue is that I can't do this using the Azure portal. I could ask our external client to do this but I want to refrain from doing this until I check that I have exhausted all options first to avoid out external client coming back with "why can't you use the portal to create the new account as I gave you global admin".

I do not have access to the on-prem servers at present, only the Azure portal and this is why I need to check in case they come back and ask.

One more question. Can I rest the password my password using the portal, same domain name which is federated. Our client asked us to change it but looking at audit no one has and I think it is related?

Below is what I read on the portal if the domain name is not visible in the new account creation process.

Troubleshooting
If the domain name you need is not available in the list on the create a new user page, there are three potential solutions.**

  1. An administrator needs to verify your custom domain name in Azure AD Before a user name can be assigned that includes a custom domain name, an administrator must add the domain name in your Azure AD and verify that your organization owns that custom domain name.
  2. Add users in federated domains using Azure AD Connect sync If a custom domain name has been configured for federated sign in with Azure AD, a user can be added in that domain only using Azure AD Connect sync. A user cannot be created with a federated domain name in the Azure AD administration portal. Learn about federated sign in with AD FS
  3. Invite users from external organizations as guests in your Azure AD. If you need to add a user from an external organization, such as a business partner that owns its own custom domain name, you can invite that user to collaborate as a guest in your Azure AD. Learn about guests in Azure AD
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,240 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,206 questions
0 comments
Accepted answer
  1. Andy David - MVP 147.3K Reputation points MVP
    2020-08-13T11:35:09.567+00:00

    Correct. If its a federated domain, then you create the user on-prem and that user is synced to Azure via AADConnect.

    If you want to change the password for a federated domain, then SSPR needs to be enabled and writeback configured on-prem using AADConnect:
    https://video2.skills-academy.com/en-us/azure/active-directory/authentication/concept-sspr-writeback

    You can check the current signin settings for Azure following:
    https://video2.skills-academy.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync#verify-current-user-sign-in-settings

    This will show what domains are federated

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AzureAddict 26 Reputation points
    2020-08-14T12:44:22.033+00:00

    Thank you so much AD-7937.

    I just wanted make absolutely certain because our external client has actually come back asking me as a Global Admin in AAD to create it and I work for another company and we are trying to support their environment as they are a client.

    We do not have any access to this external client's on-premises stuff so they will need to do and now you have verified this I am happy to tell them why.

    Many thanks.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.