This chapter covers the complete process of setting up a new Microsoft 365 tenant, from initial provisioning through custom domain configuration and initial administrative setup. Tenant setup is a foundational skill for the MS-102 exam, typically appearing in 5-10% of questions across multiple domains. You will learn the exact steps, required permissions, DNS verification procedures, and common pitfalls that the exam tests. Master this chapter to ensure you can confidently configure a tenant from scratch—a task every Microsoft 365 administrator must perform.
Jump to a section
Setting up a Microsoft 365 tenant is like constructing a new corporate headquarters building from scratch. First, you must acquire the land (register a domain) and obtain a building permit (verify domain ownership via DNS TXT record). The building's address becomes your tenant's primary domain (contoso.onmicrosoft.com). Next, you install the main entrance and security desk (Microsoft Entra ID) that controls who can enter. Then, you add floors (Exchange Online, SharePoint Online, Teams) and assign each department (user) to specific floors with keycards (licenses). The building's master key system (global admin role) can access every room, while floor managers (service admins) only access their assigned areas. You also set up fire exits and alarms (security defaults and conditional access policies) to protect against intruders. Finally, you rename the building's official address to your custom domain (contoso.com) and update all signage (DNS records). Just as a building requires careful planning and adherence to local codes, a tenant setup demands proper sequencing and compliance with Microsoft's configuration rules to avoid access issues or service disruptions.
What is a Microsoft 365 Tenant and Why Does It Exist?
A Microsoft 365 tenant is a dedicated, isolated instance of Microsoft 365 services (Exchange Online, SharePoint Online, Teams, etc.) created for your organization. It acts as a boundary for identity, security, and compliance policies. Tenants are created when you sign up for a Microsoft 365 subscription; each tenant is associated with a primary domain (e.g., contoso.onmicrosoft.com) and can be linked to one or more custom domains (e.g., contoso.com). The tenant is hosted in a specific geographic region (e.g., North America, Europe, Asia Pacific) based on the country selected during sign-up, which determines where your data is stored at rest.
How Tenant Creation Works Internally
When you initiate tenant creation via the Microsoft 365 admin center, the following occurs: 1. Identity provisioning: Microsoft Entra ID (formerly Azure AD) creates a new directory with a globally unique tenant ID (a GUID). The directory includes the default domain (tenantname.onmicrosoft.com). 2. Subscription assignment: Based on the plan selected (e.g., Business Premium, E3, E5), licenses are allocated to the tenant. These licenses are managed via the Microsoft 365 admin center or the Microsoft 365 admin center API. 3. Service activation: Exchange Online, SharePoint Online, Teams, and other services are provisioned. For Exchange, a default mailbox is created for the initial global admin. SharePoint Online creates a default site collection at https://tenantname.sharepoint.com. 4. DNS integration: If you add a custom domain, you must verify ownership by adding a TXT record to your public DNS zone. Microsoft periodically checks for this record; once found, the domain is verified and can be set as the default. 5. Initial admin account: The first user created during sign-up becomes the global admin. This account is critical and should be secured with MFA immediately.
Key Components, Values, Defaults, and Timers
Tenant ID: A 128-bit GUID, e.g., 12345678-1234-1234-1234-123456789abc. This is used in PowerShell and Graph API calls.
Primary domain: [tenantname].onmicrosoft.com. Cannot be changed but can be hidden from users.
Custom domain verification: Must complete within 72 hours; otherwise, the domain remains unverified. The TXT record value is provided during the add domain wizard.
Default global admin: The account used to sign up. Microsoft recommends creating a separate, dedicated global admin account (e.g., admin@tenant.onmicrosoft.com) and using break-glass accounts.
Initial license count: Typically 25 for trial subscriptions; paid subscriptions have the number you purchased.
Service activation latency: Exchange Online may take up to 24 hours to fully provision. SharePoint Online and Teams are usually available within minutes.
Security defaults: Enabled by default for new tenants. This enforces MFA for all users, blocks legacy authentication, and requires privileged users to use MFA.
Configuration and Verification Commands
- Get-MgOrganization (Microsoft Graph PowerShell): Retrieves tenant details including ID, display name, and verified domains.
Connect-MgGraph -Scopes Organization.Read.All
Get-MgOrganization | Select-Object Id, DisplayName, VerifiedDomains- Get-MsolDomain (MSOnline module, legacy): Lists domains and verification status.
Connect-MsolService
Get-MsolDomain | Where-Object {$_.Status -eq 'Verified'}- Set-MsolDomain (MSOnline): Sets a domain as the default for new users.
Set-MsolDomain -Name contoso.com -IsDefault $true- New-MgDomain (Graph): Adds a new custom domain to the tenant.
New-MgDomain -Id contoso.com- Confirm-MgDomain (Graph): Initiates verification.
Confirm-MgDomain -DomainId contoso.com -VerificationCode 'MS=ms12345678'Interaction with Related Technologies
Microsoft Entra ID: The tenant's identity backbone. All user accounts, groups, and roles reside here. Conditional access policies are applied at the tenant level.
DNS: Custom domain verification relies on public DNS records. Exchange Online uses MX, SPF, DKIM, and DMARC records for mail flow. Teams uses SRV records for SIP and CNAME records for client auto-discovery.
Microsoft 365 admin center: The primary GUI for tenant management. It wraps PowerShell and Graph API calls.
Azure AD Connect / Cloud Sync: If hybrid identity is used, the on-premises AD is synced to the tenant. This requires configuring the tenant's UPN suffix to match a verified custom domain.
Microsoft Purview compliance portal: Tenant-level compliance settings (e.g., retention policies, DLP) are configured here and affect all workloads.
Common Configuration Steps
Sign up for Microsoft 365: Choose a plan (e.g., Microsoft 365 Business Standard) and provide organization details. You'll create an initial admin account.
Secure the admin account: Enable MFA immediately. Create a dedicated global admin account and a break-glass account (with long password, stored securely).
Add and verify a custom domain: Go to Settings > Domains > Add domain. Follow the wizard to get the TXT record value, add it to your DNS host, and click Verify.
Set the custom domain as default: After verification, set it as the default domain so new users get user@contoso.com instead of user@contoso.onmicrosoft.com.
Update DNS records for services: Add MX, CNAME, TXT (SPF), and SRV records as recommended by the Microsoft 365 domain setup wizard.
Assign licenses to users: Users must have licenses to access services. Licenses are assigned from the Microsoft 365 admin center (Users > Active Users > select user > Licenses and Apps).
Configure identity and security: Enable security defaults or create conditional access policies. Set up password policies, self-service password reset (SSPR), and group-based licensing.
Add users and groups: Bulk add users via CSV import or create them manually. Create security groups and Microsoft 365 groups for collaboration.
Important Defaults and Behaviors
Tenant location: Based on the billing address country. Data is stored in the nearest datacenter region. Cannot be changed after creation.
Default domain: The onmicrosoft.com domain is always present. It can be hidden from users but never deleted.
Initial admin role: The first user is a global admin. Additional global admins can be added but must be done carefully due to elevated privileges.
License management: Licenses are managed per user. Unused licenses can be reclaimed. The tenant has a maximum number of licenses based on subscription; you can purchase more.
Service health: Monitor via the Microsoft 365 admin center > Health > Service health. Outages are reported here.
Troubleshooting Common Issues
Domain verification fails: Ensure the TXT record is exactly as provided, including MS=ms prefix. Check DNS propagation using tools like nslookup -type=txt contoso.com. Wait up to 72 hours.
Cannot add custom domain: The domain may already be associated with another Microsoft 365 tenant. You must remove it from the other tenant first or use a subdomain.
User cannot access services: Check license assignment. Ensure the user's UPN suffix matches a verified domain. For hybrid users, verify sync is working.
Mail flow issues: After adding custom domain, update MX record to point to Microsoft 365 (e.g., contoso-com.mail.protection.outlook.com). Also add SPF record to prevent spoofing.
PowerShell Automation
For bulk operations, use the Microsoft Graph PowerShell SDK:
# Add multiple users from CSV
Import-Csv -Path users.csv | ForEach-Object {
New-MgUser -DisplayName $_.DisplayName -UserPrincipalName $_.UserPrincipalName -PasswordProfile @{Password=$_.Password} -MailNickname $_.MailNickname -UsageLocation $_.UsageLocation
}
# Assign license
Set-MgUserLicense -UserId user@contoso.com -AddLicenses @{SkuId='contoso:ENTERPRISEPREMIUM'} -RemoveLicenses @()Summary of Key Exam Points
Tenant creation is irreversible; choose region carefully.
Domain verification requires a TXT record; other record types (MX, CNAME) are for service configuration, not verification.
The first admin is a global admin; always secure this account.
Security defaults are enabled by default for new tenants (since October 2021).
Custom domains can be added, verified, and set as default. Up to 900 domains per tenant.
Licenses are per-user and must be assigned for service access.
Tenant ID is used for identity federation and API access; never expose it unnecessarily.
Exam Trap: Domain Verification vs. Domain Configuration
Candidates often confuse the TXT record used for verification with the MX record used for mail routing. The exam will test that verification only requires a TXT record. MX, CNAME, and SRV records are for service functionality after verification. Also, verification must be completed within 72 hours, but the exam may say 15 minutes—that's the propagation time, not the verification timeout. The actual timeout is 72 hours.
Conclusion
Tenant setup is the first step in any Microsoft 365 deployment. Understanding the sequence, dependencies, and default behaviors is critical for the MS-102 exam and real-world administration. Focus on domain verification, initial security configuration, and license management. Use PowerShell for efficiency and consistency.
Sign Up for Microsoft 365
Navigate to the Microsoft 365 sign-up page (https://www.microsoft.com/en-us/microsoft-365/business) and select a plan (e.g., Business Standard, Business Premium, Enterprise E3). Provide organization details: company name, country/region (determines data residency), and contact info. Create the initial admin account with a username (e.g., admin@contoso.onmicrosoft.com) and password. This account becomes the global admin. After submission, the tenant is provisioned in Microsoft Entra ID with a unique tenant ID and the default domain (contoso.onmicrosoft.com). The sign-up process also creates a default SharePoint site, an Exchange Online organization, and a Teams tenant. You will receive a confirmation email with the tenant admin center URL.
Secure the Global Admin Account
Immediately after sign-up, secure the global admin account. Enable multi-factor authentication (MFA) via the Microsoft 365 admin center (Settings > Org settings > Modern authentication) or by configuring security defaults. Security defaults are automatically enabled for new tenants; they require all users to register for MFA within 14 days. For the global admin, enforce MFA immediately. Also, create a break-glass global admin account with a long, complex password stored in a secure location (e.g., a password vault). This account should not be used for daily operations. Additionally, consider creating a dedicated global admin account (e.g., admin@contoso.com) and assign it only to trusted IT staff. Remove the initial admin from daily use if possible.
Add and Verify a Custom Domain
In the Microsoft 365 admin center, go to Settings > Domains > Add domain. Enter your custom domain (e.g., contoso.com). Microsoft will generate a TXT record value (e.g., MS=ms12345678). Log into your DNS hosting provider (e.g., GoDaddy, Cloudflare) and add a new TXT record with the host @ (or the domain itself) and the provided value. After adding the record, click Verify in the admin center. Microsoft checks for the TXT record; verification may take a few minutes but can take up to 72 hours. Once verified, the domain status changes to 'Verified'. You can now set this domain as the default for new users. Note: Only TXT records are used for verification; MX, CNAME, and SRV records are for service configuration after verification.
Configure DNS Records for Services
After verifying the custom domain, configure DNS records to enable mail and other services. The Microsoft 365 domain setup wizard provides a list of required records. For Exchange Online: add an MX record pointing to contoso-com.mail.protection.outlook.com with priority 0. Add CNAME records for autodiscover (autodiscover.outlook.com), msoid (clientconfig.microsoftonline-p.net), and others. Add a TXT record for SPF (v=spf1 include:spf.protection.outlook.com -all). For Teams: add SRV records for SIP (sipdir.online.lync.com) and CNAME for lyncdiscover. For SharePoint: a CNAME for www (if needed) or simply use the default URL. Each record type serves a specific purpose; incorrect configuration can cause mail flow or client connectivity issues. Use the wizard's guidance to ensure completeness.
Assign Licenses and Add Users
In the Microsoft 365 admin center, go to Users > Active Users. To add users individually, click Add a user and fill in details: display name, username (UPN), domain (choose verified custom domain), and password. Assign a license by selecting the appropriate product (e.g., Microsoft 365 Business Premium) and enabling the desired services (Exchange Online, SharePoint Online, Teams, etc.). For bulk addition, use the 'Add multiple users' option with a CSV file. The CSV must include UserPrincipalName, DisplayName, and other attributes. Alternatively, use PowerShell with the New-MgUser cmdlet. Users must have a license to access services; unlicensed users cannot sign in. Also set the UsageLocation (ISO 3166 country code) for license assignment compliance. After creation, users receive a welcome email with their sign-in details.
Configure Identity and Security Settings
Configure identity and security settings to protect the tenant. Enable security defaults (already enabled for new tenants) which enforce MFA, block legacy authentication, and require privileged users to use MFA. Alternatively, create custom conditional access policies via Microsoft Entra admin center: e.g., require MFA for all users, block access from untrusted locations, or require compliant devices. Configure password policies: set password expiration (default 90 days) and complexity requirements. Enable self-service password reset (SSPR) for users to reset their own passwords. Set up group-based licensing to automatically assign licenses based on group membership. Also configure user consent settings for apps and external collaboration settings (guest access). These settings are critical for security compliance and are frequently tested on the exam.
Enterprise Scenario 1: Large Organization with Multiple Subsidiaries
A multinational corporation with 50,000 employees acquires a smaller company. The IT team needs to set up a new Microsoft 365 tenant for the subsidiary while maintaining isolation from the parent tenant. After signing up for an Enterprise E5 subscription, they add the subsidiary's custom domain (subsidiary.com). They verify the domain, then configure DNS records for mail flow. They create 5,000 users via CSV import using PowerShell, assigning licenses and setting UsageLocation based on employee country. They create security groups for departments and configure conditional access policies to require MFA for all external access. They also set up a hybrid identity with Azure AD Connect to sync from the subsidiary's on-premises AD. Performance considerations: DNS propagation for the custom domain took 2 hours due to TTL settings; mail flow started immediately after MX record update. A common issue: the subsidiary's domain was previously used for a trial tenant, causing verification failure. They had to delete the old tenant or use a subdomain.
Enterprise Scenario 2: Small Business Migration from Google Workspace
A 50-person marketing agency migrates from Google Workspace to Microsoft 365 Business Premium. The administrator signs up for a new tenant, adds their custom domain (agency.com), and verifies it. They then configure DNS records: MX to Microsoft 365, CNAME for autodiscover, and SPF to include both Google and Microsoft 365 during migration. They create users manually, assigning licenses. They enable security defaults and set up SSPR. The migration of email is done using Microsoft's cutover migration tool. The biggest challenge was ensuring DNS TTLs were lowered before the cutover to minimize propagation delays. After migration, they set the custom domain as default and removed the onmicrosoft.com domain from user UPNs. A mistake they almost made: forgetting to add the SPF record for Microsoft 365, which would cause email spoofing issues.
Enterprise Scenario 3: Education Tenant for a University
A university with 30,000 students and 5,000 staff sets up a Microsoft 365 A3 tenant for education. They sign up using the education verification process (submitting proof of domain ownership). They add the university's domain (university.edu) and verify via TXT record. They configure DNS records, including MX for Exchange Online and CNAME for Teams. They create student and staff users via CSV, assigning appropriate licenses (A3 for students and staff). They configure group-based licensing: students get licenses based on their enrollment group. Security settings include conditional access policies that block access from non-corporate devices for staff but allow student access from any device. They also enable Microsoft 365 Groups for collaboration. A key consideration: the university's domain was already federated with another identity provider; they had to coordinate domain verification with the federation team. The exam often tests that education tenants require domain verification and proof of eligibility.
What MS-102 Tests on Tenant Setup (Objective 1.1)
The MS-102 exam covers tenant setup under Domain 1 (Tenant Management) and specifically Objective 1.1: 'Plan and configure a Microsoft 365 tenant.' Questions may ask about the steps to create a tenant, domain verification, initial security configuration, and license assignment. Expect 5-10 questions on this topic across the exam.
Common Wrong Answers and Why Candidates Choose Them
Using an MX record for domain verification: Candidates see 'DNS' and 'domain' and assume MX records are needed. The exam tests that only TXT records are used for verification. The correct answer is always 'Add a TXT record with the value provided by Microsoft.'
Setting the custom domain as primary before verification: Many think you can set a domain as default immediately. The exam requires verification first; setting as default before verification will fail.
Assigning licenses first, then users: Some try to assign licenses to nonexistent users. The correct order is create users, then assign licenses. Licenses are per-user; you cannot assign to 'placeholder' accounts.
Thinking security defaults are disabled by default: Since October 2021, new tenants have security defaults enabled. Older questions might assume disabled, but current exam reflects the default-on state.
Specific Numbers and Terms That Appear Verbatim
72 hours: The maximum time for domain verification. The exam may ask 'How long does domain verification take?' Answer: Up to 72 hours.
900 domains: Maximum custom domains per tenant.
14 days: Grace period for users to register MFA when security defaults are enabled.
TXT record format: MS=msxxxxxxxxxx (the exact prefix).
Global admin: The first account is always a global admin.
UsageLocation: Required for license assignment; must be an ISO 3166 country code.
Tenant ID: A GUID; used for identity federation.
Edge Cases and Exceptions
Domain already in use: If the custom domain is already associated with another Microsoft 365 tenant, you must remove it from that tenant or use a subdomain (e.g., sub.contoso.com). The exam may test that you can add a subdomain without removing the parent domain from another tenant.
Hybrid identity: If using Azure AD Connect, the UPN suffix must match a verified custom domain. The exam may ask about prerequisites for hybrid deployment.
Trial to paid conversion: Trial tenants expire after 30 days (for most trials). You must convert to a paid subscription before expiration to avoid data loss. The exam may test that you can purchase a subscription and assign licenses.
Multi-geo tenants: For large organizations, data residency can be configured per user. This is an advanced topic but may appear in scenario questions.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about domain verification, remember the mechanism: Microsoft needs to confirm you own the domain. A TXT record is a public statement that only the domain owner can create. MX, CNAME, and A records are not proof of ownership because they can be set by anyone with DNS access (e.g., a hosting provider). Therefore, any answer that mentions MX, CNAME, or A records for verification is wrong. Similarly, for license assignment, the mechanism is that each user must have a license object linked to their account. You cannot assign a license to a group directly (unless using group-based licensing, which is a separate feature). So if an answer says 'Assign the license to the group', it's correct only if group-based licensing is configured; otherwise, it's wrong. The exam expects you to know the default behavior.
Tenant creation is a one-time event; the region is fixed based on the billing country.
Domain verification uses a TXT record; other DNS records are for service configuration.
The first account is a global admin; secure it with MFA immediately.
Security defaults are enabled by default for new tenants (since October 2021).
Custom domains can be added up to a maximum of 900 per tenant.
License assignment requires a user account and a UsageLocation.
Domain verification must complete within 72 hours; otherwise, the domain remains unverified.
Always set a custom domain as default after verification to simplify user creation.
Use PowerShell for bulk user creation and license assignment.
Break-glass accounts should have no MFA and be stored securely.
These come up on the exam all the time. Here's how to tell them apart.
New Tenant Creation
Creates a new Entra ID directory with a unique tenant ID.
Requires sign-up with a new domain or onmicrosoft.com domain.
No pre-existing users or data; all must be created.
Initial admin is the sign-up user.
Data residency fixed based on sign-up country.
Adding Tenant to Existing Subscription
Adds a tenant to an existing Microsoft agreement (e.g., EA, CSP).
Uses an existing tenant; can add custom domains later.
Tenant already has users and configuration.
Admin roles already assigned.
Data residency already established.
Mistake
You can change the tenant's geographic region after creation.
Correct
The tenant's data residency region is determined by the country selected during sign-up and cannot be changed. To change region, you must create a new tenant and migrate data.
Mistake
Domain verification requires an MX record.
Correct
Domain verification uses a TXT record only. MX records are for mail routing after verification. The exam tests this distinction explicitly.
Mistake
The first admin account is not necessarily a global admin.
Correct
The account used to sign up for Microsoft 365 is always assigned the Global Administrator role. This is a key security consideration.
Mistake
You can set a custom domain as default before it is verified.
Correct
A custom domain must be verified before it can be set as the default domain. Attempting to set it earlier will fail.
Mistake
Security defaults are disabled by default for new tenants.
Correct
Since October 2021, security defaults are enabled by default for all new Microsoft 365 tenants. This is a change from earlier behavior.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Domain verification typically completes within a few minutes after the TXT record is added to your DNS zone, but it can take up to 72 hours due to DNS propagation. Microsoft checks for the record periodically. If verification fails after 72 hours, check that the TXT record is exactly as provided, including the 'MS=ms' prefix. You can also use the 'Verify' button in the admin center to re-trigger the check.
No, the onmicrosoft.com domain (e.g., contoso.onmicrosoft.com) is permanent and cannot be changed or deleted. However, you can set a custom domain as the default for new users. The onmicrosoft.com domain will still exist and can be used for internal routing. You can also hide it from users by not including it in the list of accepted domains.
If verification does not complete within 72 hours, the domain remains in an 'Unverified' state. You cannot use it for services like email or set it as the default domain. You can retry verification by clicking 'Verify' again in the admin center. Ensure the TXT record is correctly added and propagated. If the issue persists, check for typos or DNS caching.
You can add up to 900 custom domains to a single tenant. This includes both verified and unverified domains. However, to use a domain for services like Exchange Online, it must be verified. The limit is per tenant, not per subscription.
Yes, all users, including global admins, must have a valid license assigned to access Microsoft 365 services. The global admin account created during sign-up typically receives a license automatically. If you create additional admin accounts, ensure they have licenses assigned, otherwise they cannot sign in to the admin center or manage services.
For trial subscriptions, a credit card is usually required for identity verification, though you won't be charged if you cancel before the trial ends. For paid subscriptions, a credit card or invoice payment is required. Some education or nonprofit plans may have different requirements.
A tenant is the identity and security boundary (Entra ID directory) that contains users, groups, and policies. A subscription is a billing agreement that provides licenses for services. One tenant can have multiple subscriptions (e.g., E3 and E5), and licenses from different subscriptions can be assigned to users within the same tenant.
You've just covered Microsoft 365 Tenant Setup — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?