Verify publisher domain for AAD multi-tenant app on tenant migration

0
votes

We're moving an existing application registration from our corporate tenant (foo-corporate.com) to a new dedicated tenant (bar-app.com).

The process of moving the app registration requires to create a new app registration in the bar-app.com tenant.

According to this article, we need to verify the publisher domain (foo-corporate.com) in the new dedicated tenant (bar-app.com).

This is necessary, as the user will otherwise see unverified as the publisher on the consent screen (see #5 on screenshot) instead of the publisher (foo-corporate).

The process to verify the publisher involves hosting a microsoft-identity-association.json on https://foo-corporate.com/.well-known/ to verify the publisher.

Questions

  • Is there another way to verify the publisher foo-corporate.com for the new app registration in bar-app.com tenant? We're a large enterprise and our development team doesn't have access to the hosting of foo-corporate.com (public website), so we can't put the json file there. I assume this is the case for most larger enterprises.
  • In case there is no other option, do we need to host this file permanently or is it only needed for a first verification and can be removed afterward?

Update 1

The question is about publisher domain verification and not custom domain verification as the first answer to this questions assumed.

Sample Consent Screen

Application Consent

1
azureazure-active-directory

1 Answers

-1
votes

You can verify your domain in Azure AD by adding a custom domain. You can verify it using any of the methods here, which include creating DNS records or placing a file on the site. The file is only required while verifying the domain; It can be deleted after the status shows as verified.

Azure Portal -> Azure AD -> Custom Domains:

Verify Custom Domain

From this page:

New applications

When you register a new app, the publisher domain of your app may be set to a default value. The value depends on where the app is registered, particularly whether the app is registered in a tenant and whether the tenant has tenant verified domains.

If there are tenant-verified domains, the app’s publisher domain will default to the primary verified domain of the tenant. If there are no tenant verified domains (which is the case when the application is not registered in a tenant), the app’s publisher domain will be set to null.

Adding a tenant verified domain gives you more verification options. Verification ensures non-repudiation which is essential for Microsoft to display an application's publisher to an end user.

Without placing a file on a website for the domain (I don't have a website), these are the options available to me:

enter image description here

The first is the domain I verified through DNS, the second is the onmicrosoft.com default domain. Using the onmicrosoft domain however will not suffice as it is an Available domain as opposed to a Verified one.