Issues Verifying Office 365 Domains


Just like buses, issues seem to come along in batches.  In the last few customer engagements there have been a few issues with adding custom DNS domains into Office 365.  Should this not be straight forward you say? Yes it should, but when we add in some deployment complexity and some interesting customer activities it leads to challenges….

The crux of the issues that I run into revolve around adding domains that were previously verified into other tenants.  The domains were not removed, and were still present and active in other tenants.  A domain can exist only in a single tenant at a given time.  If the domain validation process was completed in a tenant and never removed, that domain cannot be then added into another tenant. 

 

Domain Verification

To add a custom DNS domain into Office 365 it must be verified.  There is no way around this.  It is either added and verified as a managed domain or added and verified as a federated domain.  Either way ownership must be validated through the addition of DNS records to the external DNS zone.  If there were no validation process then everyone could add Microsoft.com to their tenant and the four riders of the apocalypse would ride over the horizon…..

We can use either a dummy MX record or a TXT record to verify domain ownership.  Either way the domain must be verified. 

We will see different errors if trying to add a managed domain compared to a federated domain.  let’s take a peek at an example of each.

 

Adding A Managed Domain Which Already Exists In Another Tenant

In the TailspintoysCanada tenant, let’s try to add a domain (tailspintoys.org) that was already verified as a managed domain in the TailspinOrg tenant.

These are the domains present in the TailspinOrg tenant.  There is the default MORD and also the tailspintoys.org domain. 

Domains Present In TailspinOrg Tenant

Switching to the TailspintoysCanada tenant let's check the domains present.  The tailspintoys.org domain is then added as a new domain. 

tailspintoys.org Domain Added To Different Tenant - Not It Is Unverified

What happens when we try to verify the domain?  In this case since there are no TXT records present in the external tailspintoys.org zone, Office 365 simply states that the required DNS records cannot be found. 

No DNS Records Created To Prove Domain Ownership - Confirm-MsolDomain : Domain verification failed.  The requested CNAME record was not found.  If you have recently updated your DNS settings for this domain, note that there may be a delay before this can be verified.

The verification fails as the required records are not present.  The following error is returned:

Confirm-MsolDomain : Domain verification failed.  The requested CNAME record was not found.  If you have recently updated your DNS settings for this domain, note that there may be a delay before this can be verified.

+ CategoryInfo          : OperationStopped: (:) [Confirm-MsolDomain], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainVerificationMissing
CnameException,Microsoft.Online.Administration.Automation.ConfirmDomain

If the DNS TXT record were to be added, then we will see a different error:

DNS Record Created To Prove Domain Ownership - Unable to verify this domain because it is used elsewhere in Office 365

In this case the DNS record check passed, but we were unable to add the domain since it is already verified by another tenant. 

Confirm-MsolDomain : Unable to verify this domain because it is used elsewhere in Office 365.  Remove the verified domain from the other service before adding it here.
At line:1 char:1
+ Confirm-MsolDomain -DomainName tailspintoys.org
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Confirm-MsolDomain], MicrosoftOnlineException  + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainNameConflictExcepti
   on,Microsoft.Online.Administration.Automation.ConfirmDomain

 

Adding Federated Domain Which Already Exists In Another Tenant

In this example the subdomain emea.tailspintoys.ca was previously added to a separate tenant and verified.  When we then try to add it to the Tailspintoys.ca tenant, the validation fails with the error:

Microsoft.Online.Administration.Automation.DomainLiveNamespaceExistsException

The command issued to try and add the domain was:

New-MsolFederatedDomain -DomainName:emea.tailspintoys.ca

Adding Federated Domain Error - Microsoft.Online.Administration.Automation.DomainLiveNamespaceExistsException

OK – those are the errors that we might meet, how do we get into this situation?

 

How Can This Happen?

With the Consumerization of IT, it is now easier than ever for individual departments within a company to directly provision services.  Let’s say that a remote part of the IT department wants to leverage cloud services, so they create an Office 365 tenant.  They want to use the corporate branding and since they are listed with the DNS registrar, are able to create the DNS records to complete the  process. 

Afterwards the central IT department goes to create the “official” Office 365 tenant.  They find that their first choice of tenant name has been taken.  Then they also discover that they are unable to add the corporate domain to their tenant as it is already in use.   
Depending if the domain is set as managed of federated, then the central IT department will then see one of the errors above. 

Another scenario is when a domain is moved between different test tenants without properly removing it from the prior one. 

  

Next Steps

If you are unable to verify a domain name that you own, and that means you have access to the DNS registrar and DNS zone file etc., there are options to investigate the issue.  If you do not have the ability to prove domain ownership, that must be resolved before proceeding further. 

If you have Microsoft Premier support, contact your account team or Technical Account Manager directly to have them assist.  If you do not have Microsoft Premier support, then you will need to contact Office 365 support.

Office 365 tenant names are used on a first come first served basis. If you are unable to get your preferred tenant name, having a slightly different tenant name is unrelated to the DNS domain name issue noted above.  There is no block in adding a DNS domain to a tenant with a different name.  

Cheers,

Rhoderick

Comments (2)

  1. Mohit Bhardwaj says:

    Hi Rhoderick, your solution helped me a lot. Only thing i needed to do was:

    Confirm-MsolDomain -DomainName ".com" -IssuerUri "https://adfs./adfs/services/trust" -LogOffUri "https://adfs..com/adfs/ls" -PassiveLogOnUri "https://adfs..com/adfs/ls"

  2. CharlesM says:

    What’s a tenant? What is the downside of adding the TXT info to the DNS record?

Skip to main content