CONCLUSION: Domain Control and DNS – Microsoft Entra ID 📌 Overview This project demonstrates the process of adding and verifying a custom domain in Microsoft Entra ID. The project covers:
Why and when to add a custom domain:
The DNS TXT record verification process, including record components
What changes after verification
Branding and identity experience impact
Domain removal considerations
1. Purpose of Adding a Custom Domain When you first create a Microsoft Entra tenant, Microsoft assigns a default domain in the format:
.onmicrosoft.com While this default works, it is rarely used for production sign-ins or email addresses. Adding a custom domain (e.g., steventuschmanlab.com) allows you to:
Replace the default onmicrosoft.com domain for user sign-in addresses
Match sign-in identities to your organization’s brand
Prepare for services like Exchange Online, Teams, and external sharing scenarios
Key point: The custom domain does not remove the onmicrosoft.com address — it adds an additional domain that can become the primary for new user accounts.
2. TXT Record Verification Explained To prove ownership of a domain, Microsoft Entra requires a TXT record to be added to the domain’s DNS configuration.
Example record structure:
Type: TXT — the record type used for verification.
Name: @ or the full domain name (e.g., steventuschmanlab.com). The @ symbol means the record is placed at the root of the domain.
Value: MS=ms123456789 — a unique code generated by Microsoft to verify ownership.
TTL: 3600 — time to live in seconds (1 hour), which defines how long DNS servers cache the record before refreshing.
Why “@” is sometimes used: DNS management tools often use @ as shorthand for the root of the domain. If the provider doesn’t support @, the fully qualified domain name must be used instead.
3. Publishing the TXT Record The TXT record is published by logging into your domain registrar or DNS hosting provider’s portal (e.g., GoDaddy, Namecheap, Cloudflare):
Sign in to the DNS provider
Locate DNS Management for your domain
Add a new record:
Type: TXT
Name: @ (or full domain name)
Value: Microsoft-provided verification string
TTL: 3600 or default
Save changes
Return to Microsoft Entra portal and select Verify
4. Verification Results ✅ Success Case:
Microsoft confirms the TXT record exists and matches the expected value
The domain becomes Verified in Entra ID
You can now:
Set it as the default domain for new users
Assign user sign-in names using this domain
Apply branded sign-in experiences
❌ Failure Case:
The TXT record is missing, incorrect, or not yet propagated
Microsoft displays an error such as “We couldn’t verify your domain”
Common fixes:
Double-check the Name and Value fields
Wait for DNS propagation (up to 72 hours, though usually faster)
5. Changes After Verification Once the domain is verified:
Default domain selection: You can choose the custom domain as default for all new user accounts
User sign-ins: New users can sign in with [email protected] instead of [email protected]
Branding: The sign-in page can display your organization’s name and logo, improving trust and recognition
Email and services: Custom domains are required for branded email addresses and many Microsoft 365 features
6. Removing a Domain If a verified domain is removed:
Users with addresses in that domain must be reassigned to another verified domain
Sign-in and email addresses tied to that domain will no longer function
Any branding linked to that domain is lost
🧠 Key Learnings Custom domains enhance brand trust by aligning sign-in addresses and portal branding with your organization
TXT records are the standard DNS mechanism for domain ownership verification in Microsoft Entra ID
TTL values affect how quickly verification changes are visible across the internet
Publishing the record involves direct changes at your DNS provider’s portal, not within Microsoft Entra itself
Domain removal requires a cleanup of all associated accounts and services before it can be completed