(Cloud) Tip of the Day: Verifying domains in Azure AD

Today’s Tip…

There are lots of scenarios and things to consider when using domains in Office 365, Azure, or Intune…

  • Domain must be internet routable

Today, in order to use domains with Microsoft Online Services, they must be registered with a domain registrar.

  • Verify all domains you want to use
    You must verify each domain you want to use in Office 365, Intune, or Azure. This includes any sub-domains of a parent domain you have already verified. For example, if you have already verified contoso.com and you also want to use sales.contoso.com, then you will also need to verify sales.contoso.com.
  • Verifying sub-domains of already verified parent domain is automatic
    However, verification will be easier with sub-domains. When you verify a parent domain, you have to prove ownership and add DNS records. Then, when you add and verify a sub-domain, you do not need to add any additional DNS records since you already verified the parent domain (assuming this is completed all within the same tenant). For example, when you verify contoso.com in contoso.onmicrosoft.com, then add sales.contoso.com and marketing.contoso.com in the tenant contoso.onmicrosoft.com, they will automatically be verified.
  • Verify sub-domains in different tenants
    You can't verify sub-domains in a different directory if the parent domain is already verified. As long as a parent domain is not verified in Azure AD, then you can verify sub-domains in different directories or tenants. For example…
    • You can verify sales.contoso.com in salescontoso.onmicrosoft.com and
    • You can verify marketing.contoso.com in marketingcontoso.onmicrosoft.com.
  • Sub-domains take on settings of parent domain

Sub-domains take on authentication settings of parent domain only if the parent domain is verified first. So if you want to only federate a sub-domain and not the parent domain, then verify the sub-domain first.

If you have any tips you want to share about verifying domains, send them to me.

Best Regards from the Tip of the Day Team!

Comments (2)

  1. James Moos says:

    Could you clarify if you can verify the parent domain in a different tenant after the sub-domain has been verified? for example verify sales.contoso.com in one tenant then verify contoso.com in a different tenant

    1. As long as the parent domain is not yet verified, you can continue to verify sub-domains in different tenants. Once you decide to verify the parent domain, you can verify it in a different tenant than the sub-domains. However, any new sub-domains will now need to be verified in the same tenant as the parent domain. Previously verified sub-domains will not be impacted as long as you don’t remove them.

Skip to main content