Office 365 provides various authentication options, such as cloud-IDs, Password Hash Synchronization or federated identities. Leaving out the specifics on how each of these options work, all of them are configured per domain. Whenever trying to access services in Office 365, the user is required to authenticate using its User Principal Name. For sake of simplicity, the general advise it to configure the UPN to match the email address which makes it less confusing for them.
The domain portion of the UPN is then used to “look up” how authentication should be performed. If regular cloud-IDs are used, Azure’s authentication platform will take care of authentication. If the domain is federated, the authentication platform will redirect the authentication request to whatever on-premises solution the customer has configured; mostly AD FS though.
Usually an organization will use the same authentication mechanism for all of its users. However, there are some use cases where it makes sense to use a different authentication types within a single tenant. If you happen to use different top-level domain names, this is a fairly trivial task to do. But what if you are using (multiple) sub-domains?
For more information, read my article over on ENow’s blog, in which I cover this scenario and explain what works and what not.