The diffrence between Managed and Federated Domain

Andres Bohren

2025-05-18

Hi All,

In Entra Id there are fundamentally three diffrent Identity Models

Cloud Identity (Cloud Only Accounts)
Syncronized Identity / Hybrid Identity (Syncronized with Entra Connect Sync or Cloud Sync from OnPrem Active Directory with password sync)
Federated Identity (Like Syncronized Identity but without password sync - Authentication happens on the Federation Server and requrires a Trust between Entra and the Federation Service)

There exists a whole desicion Tree for selecting the right Authentication Method

There are other Identities, but they are not relevant for this Article

Managed Domain / Federated Domain

What’s the diffrence between Managed and Federated Domain?

A Managed Domain means that the Authentication happens on Entra ID (Cloud Identity / Syncronized Identity).
A Federated Domain means that the Authentication happens on the Federated System (ADFS or any 3rd Party Solution like Okta or Ping)

How can you figure this out on your own Entra Tenant?

You can use the following Microsoft.Graph Commandlets

Connect-MgGraph -Scopes Domain.Read.All -NoWelcome
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Get-MgDomain

Let’s have a look on a specific Domain

Get-MgDomain -DomainId icewolf.ch | fl

Did you know, you can figure out the same thing with a simple Web Request?

For instance the Domain “swisscom.com” uses a Federated Domain

$Domain = "swisscom.com"
Invoke-RestMethod -URI "https://login.microsoftonline.com/getuserrealm.srf?login=user@$Domain&json=1" -Method "GET"

In comparsion the Domain “icewolf.ch” uses a Managed Domain

$Domain = "icewolf.ch"
Invoke-RestMethod -URI "https://login.microsoftonline.com/getuserrealm.srf?login=user@$Domain&json=1" -Method "GET"

I’ve addet this Information to my latest Version of Get-Mailprotection Script

Get-Mailprotection -Domain <domain.tld>

Regards
Andres Bohren