I recently came across a problem in a customer tenant regarding sign in for sub-domain users.
ADFS is enabled and sign-in for regular users with primary domain as UPN functions as expected. When a user with a UPN of a sub-domain tries to sign in, the following error message appears in the browser(my apologies for the norwegian text):
AADSTS50107: Requested federation realm object ´{Email hidden}´ does not exist.
The solution involves editing a regular expression in an ADFS claim rule which is used to build the IssuerUri associated with the user’s UPN. It’s described in this article on TechNet and boils down to changing a regEx value.
This is how I did it:
In the AD FS Console:
- Trust Relationships\Relying Party Trusts
- Right-click on ‘Microsoft Office 365 Identity Platform’ and choose “Edit Claim Rules…”
- In the “Issuance Transform Rules” tab, highlight “Issue issuerid when it is not a computer account” then choose “Edit Rule…”
- Take a copy of the existing rule as a backup and then change to this value:
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, "^((.*)([.|@]))?(?<domain>[^.]*[.].*)$", "http://${domain}/adfs/services/trust/"));
I found that replacing the entire expression with the one listed above solved the situation immediately, letting the sub-domain users sign in as they were supposed to.
Be aware that this approach could possibly break other stuff in the ADFS service, so you should have a backup of your existing settings to be restored if everything goes south.