Today I encountered that the multi-domain support ADFS claim rule generated by AAD Connect version is gives problems in some cases (version 1.1.486.0, april 2017). The rule configured by AAD Connect is as follows:
c1:[Type == "http://schemas.xmlsoap.org/claims/UPN"] && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "User"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c1.Value, "^((.*)([.|@]))?(?<domain>[^.]*[.].*)$", "http://${domain}/adfs/services/trust/"));
This does not work for every case because groups the domain not correct in some cases in my situation. This is because the “.” character triggers an unwanted domain grouping in some cases, especially when you use multiple sub domains without a registered root domain in Azure AD.
Examples that work well:
user@domain.com –> Domain group = domain.com
test.user@domain.com –> Domain group = domain.com
Examples that don’t work well:
user@subA.domain.com –> Domain group = domain.com, correct domain group should be = subA.domain.com
test.user@subB.domain.com –> Domain group = domain.com, correct domain group should be = subB.domain.com
The solution for this is quite easy, only two characters need to be removed from regex pattern of the claim rule, which are shown in bold red below:
^((.*)([.|@]))?(?<domain>[^.]*[.].*)$
The complete claim rule is now as follows:
c1:[Type == "http://schemas.xmlsoap.org/claims/UPN"] && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "User"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c1.Value, "^((.*)([@]))?(?<domain>[^.]*[.].*)$", "http://${domain}/adfs/services/trust/"));
Now every example result in a correct domain group that can be used to generated the correct issuerID.
Thanks you very much. This tips save my ass today