Verify a domain name in Azure Active Directory

10
votes

I have added a domain name to my Azure Active Directory account, but it says that the domain name is unverified.

In order to to verify the domain name, I go into my 'default directory' and go to the 'Domains' tab, where I can see my whatever.com domain name listed. I click it to highlight it and then click on the Verify button at the bottom bar and a box pops up: 'Configure domain for single sign-on', telling me to go to the "Directory Integration page and complete all steps..." There's also a checkbox, asking to take me to the Directory Integration page now. And that's it, except for the tick button in the bottom right.

Screenshot of the screen I have.

The only option I have, is to be sent to the Directory Integrations page, with help topics that point to other web pages that do not necessarily reflect what I'm seeing inside the Azure Portal, in terms of verify domain names.

I understand that I need to create a TXT record on the domain name I have already purchased, and I can see from other screenshots that I need to find a value within Azure (somewhere) that has the value 'MS=xxxxxx' but finding out where to get that value from is proving difficult.

Am I looking in the wrong place for this?

3
azuredomain-nameazure-active-directory
Are you planning on setting up single-sign on (with, for example, AD FS or some other on-premises STS)?Philippe Signoret
I am planning on setting up the domain to work with Single Sign On, yes.Brett Rigby

3 Answers

8
votes

In the current version of the management portal, the necessary verification information is only displayed if you do not check the option for "I plan to configure this domain for single sign-on...".

If you add the domain and leave that option unchecked, the next step of the dialog will display the MS=xxxxxxxxx value that you need to register as a TXT entry on your DNS server.

I believe the reason it's not displayed when you opt for single sign-on is that the value is meant to be retrieved as part of the AD FS configuration (or whichever STS implementation you will be deploying).

Check out this article: Quick Start Guide for Integrating a Single Forest On-Premises Active Directory with Windows Azure AD

In particular you are probably looking for the Get-MsolDomainVerificationDns cmdlet.

I don't have an AD FS deployment to verify this on currently, but I'd be very surprised if the TXT values differ between the two setups, so the first thing I would try is grabbing the value from the screens when the single sign-on is not selected and adding it to your DNS zone.

Hopefully, this points you in the right direction.

Edit: An updated article covering the updated management portal is now available: Add a custom domain name to Azure Active Directory

3
votes

Type the below code into your Windows Azure Active Directory Module for Powershell 

Get-MsolDomainVerificationDns -DomainName <domainName> -Mode dnstxtrecord

where domainName is the domain that you need to verify. You will get a Label,Text And TTL. You need to add this to the DNS record of your domain(domainName) and then type the below code to complete the verification process.

Confirm-MSolDomain -DomainName <domainName>

Ofcourse you need to connect to your azure account before you verify the domain.

Connect-MsolService –Credential $cred

2
votes

If you are adding a new domain:

  1. Be sure you're in the "Domains" tab in the portal when you add your domain via the popup dialog.
  2. Once it says it's successfully added, click the "right arrow" button in the bottom-right of the dialog
  3. The second page should have the TXT record you need to add.

If you already added it and it's waiting to be verified:

  1. Be sure you're in the "Domains" tab in the portal.
  2. Select your domain with an "Unverified" status.
  3. Click on the "Verify" icon at the bottom and it will bring up a dialog with the TXT record you need to add.