Tutorial / Cram Notes
When managing identities and access within an organization, it’s important to maintain consistent branding and ease of use, which can be accomplished by configuring and managing custom domains. For professionals preparing for the SC-300 Microsoft Identity and Access Administrator exam, understanding how to set up and manage custom domains within Azure Active Directory (Azure AD) is vital.
Custom Domains in Azure Active Directory
By default, when you create a new tenant in Azure AD, you are given an onmicrosoft.com domain. While functional, it doesn’t represent your company’s branding. Adding and verifying a custom domain allows employees to sign in with a familiar domain name that aligns with your corporate identity.
Adding a Custom Domain
To add a custom domain to Azure AD:
- Access Azure Active Directory: In the Azure portal, navigate to the Azure Active Directory service.
- Navigate to Custom Domain Names: Under the Azure AD properties, find the Custom domain names section.
- Add Custom Domain: Click “+ Add custom domain” and enter the domain name you wish to add.
- Verify Domain: To prove ownership, you must update DNS records at your domain registrar. Azure AD will provide a TXT or MX record to enter in your domain’s DNS settings.
- Verify in Azure Portal: After updating DNS records, go back to the Azure portal and verify the domain. The DNS changes might take some time to propagate.
Setting Primary and Secondary Domains
You can set a primary domain that will be used as the default domain for new users. Secondary domains can be beneficial when you have multiple divisions or subsidiaries within the same organization needing distinct email domains.
To set the primary or secondary domain:
- Select the Domain: In the Custom domain names section, click on the domain you wish to set as primary.
- Make Primary: Click “Make primary” to set the chosen domain as the default domain.
- Add Secondary Domains: Repeat the add and verify process for any additional domains.
DNS Records for Custom Domains
For single sign-on (SSO) and additional features, certain DNS records will need to be added or modified, such as CNAME, A, or SRV records. The specifics will depend on the services your organization uses (like Exchange Online, Teams, or SharePoint Online).
Monitor and Manage Domain Settings
It’s essential to monitor and manage these settings consistently:
- DNS Monitoring: Regularly check DNS records to ensure they are correct and have not been altered.
- Renew Certificates: Keep track of SSL/TLS certificates’ expiration dates for your custom domain and renew them accordingly.
- Audit Logs: Review audit logs to see if any changes have been made to the domain settings.
Managing Subdomains
If your organization also uses subdomains, these can be added as additional custom domains in Azure AD, and the same verification process will apply.
Troubleshooting Domain Issues
Common issues when configuring custom domains may include:
- DNS Propagation Delays: DNS changes could take up to 72 hours to propagate through the internet.
- Typographical Errors: Double-check all DNS records for accuracy.
- Existing Domain Verification Errors: You may encounter problems if the domain is already verified in another Azure AD tenant, which will require its removal or support intervention.
Custom Domains and Federated Identity
For organizations utilizing federated identity models with services like AD FS or PingFederate, domain federation settings will need to be configured to allow user authentication via the identity provider (IdP). Federation also entails maintaining IdP certificates and monitoring for service outages.
Conclusion
In summary, configuring and managing custom domains in Azure AD involves a clear set of steps: adding the custom domain, verifying ownership through DNS, setting primary and secondary domains, adjusting necessary DNS records, and continual monitoring and management. Properly managed custom domains enhance the professional appearance of your organization and streamline the user experience for identity and access management.
For the SC-300 exam, understanding these procedures, troubleshooting typical problems, and knowledge of federated identity integration will be critical for a successful outcome. Remember that precise execution of these tasks will ensure a seamless and secure identity experience for users within your organization.
Practice Test with Explanation
True or False: You can add up to 900 custom domain names to your Azure AD directory.
- True
Explanation: Azure AD allows organizations to add up to 900 custom domain names to their directory, which can be used for various purposes such as user email addresses and application namespaces.
True or False: Once you add a custom domain to Azure AD, you can remove the primary domain.
- False
Explanation: The initial domain that is created with your Azure AD tenant (e.g., domainname.onmicrosoft.com) cannot be removed or changed; however, you can add and remove custom domain names.
Which DNS record type must be configured to prove domain ownership in Azure AD?
- A) A Record
- B) MX Record
- C) CNAME Record
- D) TXT Record
Answer: D) TXT Record
Explanation: When adding a custom domain to Azure AD, you typically need to add a TXT record to your domain’s DNS records to prove ownership of the domain to Azure.
True or False: Azure AD requires domain registrars to support DNSSEC for custom domain configuration.
- False
Explanation: While DNS Security Extensions (DNSSEC) adds an additional layer of security, it is not required by Azure AD for custom domain configuration.
Which of the following attributes can be customized after adding your custom domain in Azure AD?
- A) Username suffix for new users
- B) Tenant URL in Azure AD
- C) Global administrator login URL
- D) All of the above
Answer: A) Username suffix for new users
Explanation: After adding a custom domain to Azure AD, you can use it as a username suffix for new users, allowing them to have an email address that matches your organization’s domain.
True or False: You can configure a custom domain in Azure AD without an on-premises server.
- True
Explanation: You do not need to have an on-premises server to configure a custom domain in Azure AD. It can be done entirely through Azure’s cloud-based services, given you have access to your domain’s DNS settings.
To configure a custom domain for your Azure AD tenant, what needs to be verified first?
- A) Your identity as a global administrator
- B) The domain’s MX record
- C) The domain’s ownership
- D) Your company’s DUNS number
Answer: C) The domain’s ownership
Explanation: The primary requirement is to verify domain ownership by configuring the DNS records that Microsoft specifies when you try to add the domain to Azure AD.
True or False: Subdomains must be added to Azure AD as separate custom domains.
- False
Explanation: Once you add a custom domain to Azure AD, all subdomains are automatically included and do not need to be added separately.
When adding a custom domain to Azure AD, how long do DNS record changes typically take to propagate worldwide?
- A) Instantly
- B) 5 minutes
- C) 15 minutes to 1 hour
- D) 24 to 48 hours
Answer: D) 24 to 48 hours
Explanation: DNS record changes may take up to 24 to 48 hours to propagate worldwide. However, in practice, it often happens faster, but the full time range should be allowed for.
True or False: Azure AD Premium P1 or P2 licenses are required to add custom domain names.
- False
Explanation: There is no licensing requirement for the basic custom domain name management features within Azure AD; it’s available in the free edition as well.
Which SSL certificate type is necessary for securing custom domain access on Azure AD?
- A) EV SSL Certificate
- B) Wildcard SSL Certificate
- C) Self-signed SSL Certificate
- D) None, Azure handles it automatically
Answer: D) None, Azure handles it automatically
Explanation: For the standard access over HTTPS to custom domains on Azure AD, Microsoft automatically provides the necessary SSL/TLS certificates.
True or False: Custom domains in Azure AD can be configured to require multi-factor authentication (MFA) for all users.
- True
Explanation: Azure AD allows administrators to set policies that can require MFA for all users within the tenant, including those using a custom domain.
Interview Questions
What is a custom domain in Microsoft 365?
A custom domain in Microsoft 365 is a domain name that you can add to your organization’s Microsoft 365 account to use with your email and other services.
How do you add a custom domain in Microsoft 365?
To add a custom domain in Microsoft 365, go to the Microsoft 365 admin center, navigate to the Setup > Domains page, click Add domain, and follow the prompts to verify ownership of the domain.
What is the purpose of adding a custom domain in Microsoft 365?
Adding a custom domain in Microsoft 365 can help organizations maintain their brand identity and improve their online presence.
Can you add custom subdomains or multiple domains to Microsoft 365?
Yes, you can add custom subdomains and multiple domains to Microsoft 365.
How do you manage a custom domain in Microsoft 365?
You can manage a custom domain in Microsoft 365 through the admin center, where you can add or remove users, manage DNS settings, and configure email routing.
How long does it take to verify a domain in Microsoft 365?
The time it takes to verify a domain in Microsoft 365 can vary depending on your domain registrar and DNS settings. It typically takes up to 72 hours for DNS changes to propagate.
Can you use a domain that is already registered with another service in Microsoft 365?
Yes, you can use a domain that is already registered with another service in Microsoft 365. However, you will need to update the DNS records for the domain to point to Microsoft 365.
How do you set or change the default domain in Microsoft 365?
To set or change the default domain in Microsoft 365, go to the Setup > Domains page, select the domain that you want to set as the default, and click Set as default.
What are some common DNS records that need to be added for a custom domain in Microsoft 365?
Some common DNS records that need to be added for a custom domain in Microsoft 365 include MX records, SPF records, and CNAME records.
Can you add a custom domain to a Microsoft 365 tenant that already has a default domain?
Yes, you can add a custom domain to a Microsoft 365 tenant that already has a default domain.
How many custom domains can you add to a Microsoft 365 tenant?
You can add up to 900 custom domains to a Microsoft 365 tenant.
What is a DNS provider?
A DNS provider is a service that manages the DNS records for your domain and helps to resolve domain names to IP addresses.
Can you use a domain that is not registered with a domain registrar in Microsoft 365?
No, you must have a domain that is registered with a domain registrar to add it to Microsoft 365.
Can you remove a custom domain from Microsoft 365?
Yes, you can remove a custom domain from Microsoft 365 by going to the Setup > Domains page and selecting the domain that you want to remove.
How do you troubleshoot issues with a custom domain in Microsoft 365?
To troubleshoot issues with a custom domain in Microsoft 365, you can use the Microsoft 365 admin center or contact Microsoft support for assistance. Common issues include DNS misconfigurations, expired domains, and ownership verification failures.
This blog post is very helpful for understanding custom domain configurations in SC-300.
Can someone explain how to verify a custom domain in Azure AD?
Once the DNS record is added, how long does it usually take for the domain to be verified?
Is it possible to configure multiple custom domains in a single Azure AD tenant?
When configuring a custom domain, are there any common issues to watch out for?
Thank you for this comprehensive guide on custom domains. Really appreciate it!
I faced issues while verifying my domain. What could be the possible reasons?
Can custom domains in Azure AD affect user authentication in any way?