-
Type:
Bug
-
Resolution: Invalid
-
Priority:
Low
-
Component/s: Domain Verification - Initial Setup
-
None
-
Severity 2 - Major
Issue Summary
When a domain was previously verified using the DNS or HTTPS approaches, it can also be verified automatically when setting up the Azure AD for nested groups integration.
In that scenario, the domain will show up twice in the Domains screen:
- One entry indicating that it was verified from Azure: AZURE AD
- Another entry indicating the method that was used previously: DNS record or HTTPS file
However, the other way around doesn't work. If a domain was previously verified via AZURE AD, it can't be verified using other methods. The following pop-up with an error that is not very clear will show up when trying to add the domain:
Steps to Reproduce
- Verify a domain via Azure AD for nested groups integration.
- Try to add the same domain in the Domains screen:
Expected Results
It should be possible to verify the domain using another verification method. A use-case for this is related to Switching from Azure AD for nested groups to SCIM.
During this process, it would be ideal to retain the domain ownership before disconnecting the Microsoft account and removing the current configuration.
Without being able to verify the domain using other methods, it's not possible to smoothly swap Managed Users from one authentication policy to another, disrupting the SSO authentication flow.
Actual Results
The domain can't be verified via DNS and HTTPS until it is completely removed from the Azure AD for nested groups integration.
Workaround
If there are multiple domains verified by the integration, it's possible to slowly remove the domains from it and move the users to the new Identity Provider directory in phases.
