This chapter covers custom domains in Microsoft Entra ID (formerly Azure AD), a core topic for the AZ-104 exam under Domain 1: Identity Governance (Objective 1.1). Custom domains allow organizations to use their own domain names (e.g., contoso.com) for user sign-ins and email addresses instead of the default onmicrosoft.com domain. Approximately 10-15% of exam questions touch on custom domain configuration, verification, DNS records, and common pitfalls. Mastering this topic is essential for managing hybrid identities and ensuring seamless authentication.
Jump to a section
Imagine a large office building where every employee is assigned a default mailbox in the central mailroom, with addresses like 'room101@centralmail.com'. The building manager (Microsoft) controls the 'centralmail.com' domain. If the company wants its own identity, it can register a custom domain like 'contoso.com' and ask the manager to add that domain to the building's directory. To prove ownership, the manager asks the company to place a specific token (TXT record) on the public notice board (DNS zone) of 'contoso.com'. Once verified, the manager can now assign employees custom addresses like 'alice@contoso.com'. However, the manager must also update the building's internal routing table (DNS MX record) to point 'contoso.com' to the central mail server. If the company later wants to use its own mail servers, it needs to change the MX record to point elsewhere. The manager enforces a strict rule: before removing the custom domain, every user and group using that domain must be converted to use the default domain or another custom domain. This prevents orphaned addresses. The verification token is checked periodically; if it disappears, the custom domain may be marked as unverified.
What Are Custom Domains and Why Do They Exist?
Every Microsoft Entra ID tenant is provisioned with an initial domain name in the format <tenantname>.onmicrosoft.com. This domain is automatically created and cannot be removed. However, using this domain for user sign-ins (e.g., user@contoso.onmicrosoft.com) looks unprofessional and does not align with the organization's brand. Custom domains allow you to add your own verified domain names (e.g., contoso.com) to the tenant. Once verified, you can create users with UPN suffixes matching the custom domain (e.g., alice@contoso.com) and configure federation if needed.
Custom domains are also a prerequisite for integrating with on-premises Active Directory via Azure AD Connect. In a hybrid deployment, the UPN suffix in on-premises AD must match a verified custom domain in Entra ID for seamless synchronization.
How Custom Domains Work Internally
When you add a custom domain to Entra ID, the system generates a unique verification token (a DNS TXT record value). You must add this TXT record to the DNS zone of the domain (managed by your domain registrar). Entra ID periodically checks for the presence of this TXT record. If found, the domain is marked as 'Verified'. The verification process is based on the DNS protocol (RFC 1035) and uses a challenge-response mechanism. The TXT record must remain in place as long as the domain is in use; if removed, the domain may become 'Unverified' after a grace period (typically 72 hours).
Once verified, you can set the custom domain as the primary domain for new users. You can also configure the domain for federation with on-premises AD FS or other identity providers. Federated domains use a different authentication flow: the user is redirected to the on-premises STS for authentication.
Key Components, Values, Defaults, and Timers
Default Domain: <tenantname>.onmicrosoft.com – always present, cannot be removed.
Initial Domain: Same as default, created at tenant provisioning.
Custom Domain: Any domain you own (e.g., contoso.com) that you add and verify.
Verification Token: A unique GUID generated by Entra ID when you add the domain. Example: MS=ms12345678.
DNS Record Type: TXT record with name @ or the domain itself, value equals the token.
Verification Check Interval: Every 1 hour (by default).
Grace Period for Unverified Domains: 72 hours. If the TXT record is missing for 72 hours, the domain becomes unverified and cannot be used for new users.
Maximum Custom Domains per Tenant: 500 (as of AZ-104 exam objectives).
Domain Removal Condition: No users or groups may have the domain in their UPN. All must be converted to another domain first.
Configuration and Verification Commands
To add and verify a custom domain using the Azure portal: 1. Navigate to Entra ID > Custom domain names > Add custom domain. 2. Enter the domain name (e.g., contoso.com). 3. Copy the TXT record value displayed. 4. Add the TXT record to your DNS zone. 5. Click 'Verify'.
Using PowerShell (AzureAD module):
Connect-AzureAD
New-AzureADDomain -Name contoso.com
Get-AzureADDomainVerificationDnsRecord -Name contoso.com
# Add the TXT record to DNS
Confirm-AzureADDomain -Name contoso.comUsing Azure CLI:
az login
ez ad domain create --domain-name contoso.com
az ad domain verify --domain-name contoso.comInteraction with Related Technologies
Azure AD Connect: For hybrid identity, the UPN suffix of on-premises users must match a verified custom domain in Entra ID. During synchronization, Azure AD Connect maps the on-premises UPN to the cloud UPN. If the domain is not verified, sync fails for those users.
Federation: Custom domains can be configured as federated (using on-premises identity provider) or managed (password hash sync or pass-through authentication). The domain type is set during domain addition.
Email Routing: While Entra ID does not provide email hosting, custom domains are used for Office 365 mailboxes. The MX record for the domain must point to Exchange Online (or your own mail server).
User Principal Name (UPN): The UPN is the primary user identifier for authentication. Changing a user's UPN domain requires the new domain to be verified. Users can have multiple UPNs (via proxyAddresses), but the primary UPN must match a verified domain.
Common Misconfigurations
Incorrect TXT Record: The token is case-sensitive. Copy exactly.
Multiple TXT Records: Some registrars allow multiple TXT records; ensure the verification record is present.
TTL Issues: DNS caching can delay verification. Wait for TTL expiry (usually 1 hour) before troubleshooting.
Domain Removal: Attempting to remove a domain that still has users or groups assigned results in an error. You must first change all UPNs to another domain.
Exam-Relevant Details
The onmicrosoft.com domain cannot be removed or renamed.
You can add up to 500 custom domains per tenant.
Each custom domain must be verified via DNS TXT record.
Verification must be repeated if the domain is used for federation (additional verification for federation).
For hybrid environments, the on-premises UPN suffix must match a verified custom domain.
The DNS TXT record must remain in place; removing it will cause the domain to become unverified after 72 hours.
You cannot use a custom domain that is already verified in another Entra ID tenant (unless it is a subdomain).
Subdomain verification: If you verify contoso.com, you can use sub.contoso.com without additional verification (inherited).
For Office 365, additional DNS records (MX, SPF, etc.) are required for email functionality, but not for Entra ID verification.
Add Custom Domain in Entra ID
In the Azure portal, navigate to Microsoft Entra ID > Custom domain names. Click 'Add custom domain'. Enter the fully qualified domain name (e.g., contoso.com). The system generates a unique verification token (TXT record value) and displays it. This token is a GUID prefixed with 'MS='. The domain is added in an 'Unverified' state. No users or services can use the domain until verification completes.
Add DNS TXT Record at Registrar
Log in to your domain registrar's DNS management console. Create a new TXT record with host '@' (or the domain name itself) and value exactly as provided (e.g., MS=ms12345678). The TTL can be set to 1 hour (3600 seconds) for faster verification. If the registrar requires, set the record type to TXT. Save the record. DNS propagation may take from minutes to hours depending on TTL and registrar.
Verify Domain in Entra ID
Return to the Custom domain names blade in Entra ID. Click 'Verify'. Entra ID will query the DNS for the TXT record. If found and matches, the domain status changes to 'Verified'. Verification is instant if DNS has propagated. If verification fails, wait for DNS propagation and retry. You can also use the 'Verify' button multiple times.
Set Domain as Primary (Optional)
After verification, you can set the custom domain as the primary domain for new users. This means new users will default to the custom domain in their UPN. Existing users can have their UPN changed manually. To change primary domain, go to Custom domain names, select the domain, and click 'Set as primary'. The previous primary domain (onmicrosoft.com) remains but is no longer the default.
Configure Federation (Optional)
If you want to federate the custom domain with an on-premises identity provider (e.g., AD FS), you need to configure federation during or after domain addition. In Entra ID, under the domain settings, select 'Federated' and provide the federation metadata URL. This adds additional DNS records (e.g., for federation trust). The domain must be verified first. Federation changes the authentication flow: users are redirected to the on-premises STS.
Convert Users to Custom Domain
To use the custom domain for existing users, you must update each user's UPN. In the Azure portal, go to Users, select a user, and change the UPN suffix from onmicrosoft.com to the custom domain. Alternatively, use PowerShell or Azure AD Connect for bulk changes. If the domain is federated, the user's authentication method changes accordingly. Ensure no users remain with the old domain before removing it.
Remove Custom Domain (If Needed)
To remove a custom domain, all users, groups, and applications that use the domain in their UPN or email must first be updated to use another domain (e.g., the default onmicrosoft.com or another verified custom domain). Once no objects reference the domain, you can delete it from the Custom domain names blade. The domain will be removed from the tenant and can be added to another tenant later.
In a typical enterprise deployment, a company like Contoso Ltd. with 10,000 employees and multiple subsidiaries will have several custom domains. For example, contoso.com for the main company, and subdomains like eu.contoso.com for European operations. Each domain must be verified in Entra ID. A common scenario is hybrid identity: Contoso uses Azure AD Connect to sync on-premises Active Directory users. The on-premises UPN suffixes (e.g., @contoso.com) must match verified custom domains. If a new subsidiary is acquired with its own domain (e.g., acquiredcompany.com), the IT team adds that domain to the tenant, verifies it, and then syncs users from the on-premises forest. Failure to verify the domain before sync causes synchronization errors for those users; they will appear as 'onmicrosoft.com' users instead of their intended UPN.
Another scenario is Office 365 integration. After adding a custom domain, the organization must also configure DNS records for Exchange Online (MX, SPF, etc.) to receive email. Many admins mistakenly think that verifying the domain in Entra ID automatically routes email. It does not. Email routing is separate. A common misconfiguration is forgetting to update the MX record, causing email delivery failures. Performance considerations: DNS propagation delays can impact verification. Admins should wait at least 1 hour after adding TXT records before troubleshooting. Scale considerations: With 500 custom domains allowed, large enterprises with many brands can manage all domains in a single tenant, but each domain requires DNS management. Misconfigurations often occur when domains are removed without converting all users, resulting in error messages. The most common support call is 'Cannot remove domain because users still exist.' This is preventable by running a script to find all objects using the domain before removal.
The AZ-104 exam tests custom domains under Objective 1.1: 'Manage identities in Microsoft Entra ID'. Specifically, you must know how to add, verify, and manage custom domains. The most common wrong answer on exam questions is selecting 'Add a CNAME record instead of a TXT record' for verification. Candidates often confuse DNS record types. The exam will present a scenario where you need to verify a domain; the correct answer is always 'Add a TXT record with the value provided by Entra ID'. Another trap: 'You can remove the TXT record after verification.' This is false; the TXT record must remain to keep the domain verified. The exam may ask: 'What happens if the TXT record is removed?' Answer: The domain becomes unverified after 72 hours. A third trap: 'You can use any custom domain that you own without verification.' False; verification is mandatory. The exam also tests the 500-domain limit and the fact that the onmicrosoft.com domain cannot be removed. Edge cases: Subdomain verification is inherited from the parent domain. If you verify contoso.com, you can use sub.contoso.com without additional verification. However, if you add sub.contoso.com separately, you still need to verify it (though you can use the same TXT record as the parent). The exam loves to ask about removing a domain: 'You must change all users' UPN to another domain first.' Another edge case: Federated domains require additional verification steps (adding federation metadata). The exam may ask: 'You added a custom domain and configured federation. What additional step is required?' Answer: Upload the federation metadata or configure the federation trust. To eliminate wrong answers, focus on the underlying DNS mechanism: verification relies on DNS TXT records, not MX or CNAME. If an answer mentions MX records for verification, it's wrong. Also, remember that verification is per-tenant; a domain verified in one tenant cannot be used in another unless removed first.
Custom domains must be verified via DNS TXT record; the token is a GUID prefixed with 'MS='.
The TXT record must remain in place to keep the domain verified; removal causes unverified status after 72 hours.
Maximum 500 custom domains per tenant.
The onmicrosoft.com domain cannot be removed or renamed.
To remove a custom domain, all users and groups using it must be converted to another domain first.
Subdomains inherit verification from the parent domain if not added separately.
For hybrid identity, on-premises UPN suffixes must match a verified custom domain in Entra ID.
These come up on the exam all the time. Here's how to tell them apart.
Managed Domain
Password hash sync or pass-through authentication.
User credentials are verified in the cloud.
No on-premises identity provider required.
Simpler setup; no additional federation metadata needed.
Users authenticate via Entra ID login page.
Federated Domain
Authentication is redirected to on-premises identity provider (e.g., AD FS).
User credentials are verified on-premises.
Requires on-premises federation server and metadata exchange.
Additional DNS records (e.g., for federation trust) may be needed.
Users authenticate via on-premises login page.
Mistake
You can verify a custom domain by adding an MX record.
Correct
Verification requires a DNS TXT record with a specific token. MX records are used for email routing, not domain ownership verification.
Mistake
Once verified, you can delete the TXT record immediately.
Correct
The TXT record must remain in place. If deleted, the domain becomes unverified after a 72-hour grace period.
Mistake
Custom domains can be used without verification if they are subdomains of a verified domain.
Correct
Subdomains inherit verification only if they are added as a separate custom domain. You can use them without adding separately, but if added, they need verification (though the parent's TXT record can be reused).
Mistake
You can remove the onmicrosoft.com domain.
Correct
The initial onmicrosoft.com domain cannot be removed or renamed. It is permanent.
Mistake
You can have unlimited custom domains per tenant.
Correct
The maximum is 500 custom domains per Entra ID tenant.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Go to Entra ID > Custom domain names > Add custom domain. Enter your domain (e.g., contoso.com). Copy the TXT record value shown. Add this TXT record to your domain's DNS zone at your registrar. Then click 'Verify' in the portal. The domain will become 'Verified' once the TXT record is detected.
No. Verification is mandatory. Without verification, you cannot create users with that domain in their UPN, and hybrid sync will fail for users with that UPN suffix.
The domain will become 'Unverified' after a 72-hour grace period. During this time, it remains usable, but after 72 hours, you cannot create new users with that domain. To restore, add the TXT record again and re-verify.
No. The initial onmicrosoft.com domain is permanent and cannot be removed or renamed. It serves as a fallback domain.
Up to 500 custom domains per Entra ID tenant. This is a hard limit.
If you add a subdomain as a separate custom domain (e.g., sub.contoso.com), you must verify it. However, verification can be inherited from the parent domain (contoso.com) if the parent is already verified. You can also use the same TXT record for the subdomain.
Only a TXT record with the specific token provided by Entra ID. No other DNS records (MX, CNAME, etc.) are needed for verification.
You've just covered Custom Domains in Entra ID — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?