Implementing and managing domains

The managed domain is part of the Microsoft 365 tenant for its entire lifecycle. While it is a fully-functioning domain name space (complete with its own managed publicly available domain name system), most organizations will want to use their organization’s domain names—especially when it comes to sending and receiving email or communicating via Microsoft Teams.

Organizations can use any public domain name with Microsoft 365. Microsoft supports configuring up to 900 domains in a tenant; you can configure both top-level domains (such as contoso.com) and subdomains (businessunit.contoso.com) with your Microsoft 365 tenant.

Acquiring a domain name

Many organizations begin their Microsoft 365 journey with existing domain names. Those existing domain names can be used with Microsoft 365. In addition, you can purchase new domain names to be associated with your tenant.

Third-party registrar

Most large organizations have existing relationships with third-party domain registrars, such as Network Solutions or GoDaddy. You can use any ICANN-accredited registrar for your region to purchase domain names.

About ICANN

ICANN (short for Internet Corporation for Assigned Names and Numbers) is a non-profit organization tasked with providing guidance and policy around the internet’s unique identifiers (domains). It was chartered in 1998. Prior to 1998, Network Solutions operated the global domain name system registry under a subcontract from the United States Defense Information Systems Agency.

You can search the list of domain registrars here: https://www.icann.org/en/accredited-registrars.

Microsoft

In addition to choosing a third-party registrar, organizations may also wish to use Microsoft as the registrar. Depending on your subscription, you may have direct access to purchasing domain names from within the Microsoft 365 admin center, as shown in Figure 1.4:

Figure 1.4 – Purchasing a domain through the Microsoft 365 admin center

When purchasing a domain through Microsoft, you can select from the following top-level domains:

• .biz
• .com
• .info
• .me
• .mobi
• .net
• .org
• .tv
• .co.uk
• .org.uk

Domain purchases will be billed separately from your Microsoft 365 subscription services. When purchasing a domain from Microsoft, you’ll have limited ability to manage Domain Name System (DNS) records. If you require custom configuration (such as configuring an MX record to point to a non-Microsoft 365 server), you’ll need to purchase a domain separately.

Configuring a domain name

Configuring a domain for your tenant is a simple procedure and requires access to your organization’s public DNS service provider. Many large organizations may host DNS themselves, while other organizations choose to pay service providers (such as the domain registrar) to host the services.

In order to be compatible with Microsoft 365, a DNS service must support configuring the following types of records:

• CNAME: Canonical Name records are alias records for a domain, allowing a name to point to another name as a reference. For example, let’s say you have a website named www.contoso.com that resolves to an IP address of 1.2.3.4. Later, you want to start building websites for na.contoso.com and eu.contoso.com on the same web server. You might implement a CNAME record for na.contoso.com to point to www.contoso.com.
• TXT: A Text Record is a DNS record used to store somewhat unstructured information. Request for Comments (RFC) 1035 (https://tools.ietf.org/html/rfc1035) specifies that the value must be a text string and gives no specific format for the value data. Over the years, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and other authentication and verification data have been published as TXT records. In addition to SPF and DKIM, the Microsoft 365 domain addition process requires the administrator to place a certain value in a TXT record to confirm ownership of the domain.
• SRV: A Service Locator record is used to specify a combination of a host in addition to a port for a particular internet protocol or service.
• MX: The Mail Exchanger record is used to identify which hosts (servers or other devices) are responsible for handling mail for a domain.

In order to use a custom domain (sometimes referred to as a vanity domain) with Microsoft 365, you’ll need to add it to your tenant.

To add a custom domain, follow these steps:

1. Navigate to the Microsoft 365 admin center (https://admin.microsoft.com) and log in.
2. Expand Settings and select Domains.

Figure 1.5 – Domains page of the Microsoft 365 admin center

3. Click Add domain.
4. On the Add a domain page, enter the custom domain name you wish to add to your Microsoft 365 tenant. Select Use this domain to continue.

Figure 1.6 – Add a domain page

5. If your domain is registered at a host that supports Domain Connect, you can provide your credentials to the Microsoft 365 Add domain wizard and click Verify. Microsoft will automatically configure the necessary domain records and complete the entire DNS setup for you. You can also select More options to see all of the potential verification methods available, as shown in Figure 1.7:

Figure 1.7 – Verify domain ownership

6. If you choose any of the additional verification options (such as Add a TXT record to the domain’s DNS records), you’ll need to manually add DNS records with your DNS service provider. Microsoft provides the value configuration parameters necessary for you to configure DNS with your own service provider. After entering the values with your service provider, you can come back to the wizard and select Verify, as shown in Figure 1.8:

Figure 1.8 – Completing verification records manually

7. If you're using Domain Connect, enter the credentials for your registrar. When ready, click Connect.

Figure 1.9 – Authorizing Domain Connect to update DNS records

8. Select Let Microsoft Add your DNS records (recommended) to have the Microsoft 365 wizard update your organization’s DNS records at the registrar. However, if you are going to be configuring advanced scenarios such as Exchange Hybrid for mail coexistence and migration or have other complex requirements, you may want to consider managing the DNS records manually or opting out of select services. Click Continue.

Figure 1.10 – Connecting domain to Microsoft 365

9. Choose whether to allow Microsoft to add DNS records. Expand the Advanced options drop-down:
   1. The first checkbox, Exchange and Exchange Online Protection, manages DNS settings for Outlook and email delivery. If you have an existing Exchange Server deployment on-premises (or another mail service solution), you should clear this checkbox before continuing. You’ll need to come back to configure DNS settings to establish hybrid connectivity correctly. The default selected option means that Microsoft will make the following updates to your organization’s DNS:
      1. Your organization’s MX record will be updated to point to Exchange Online Protection.
      2. The Exchange Autodiscover record will be updated to point to autodiscover.outlook.com.
      3. Microsoft will update your organization’s SPF record with v=spf1 include:spf.protection.outlook.com -all.

Figure 1.11 – Adding DNS records

2. The second setting, Skype for Business, will configure DNS settings for Skype for Business. If you have an existing Skype for Business Online deployment or you’re using Skype for Business on-premises, you may need to clear this box until you verify your configuration:
   1. Microsoft will add two SRV records: _sip._tls.@<domain> and _sipfederationtls._tcp@<domain>.
   2. Microsoft will also add two CNAMEs for Lync: sip.<domain> to point to sipdir.online.lync.com and lyncdiscover.<domain> to point to webdir.online.lync.com.
3. The third checkbox, Intune and Mobile Device Management for Microsoft 365, configures applicable DNS settings for device registration. It is recommended to leave this enabled:
   1. Microsoft will add the following CNAME entries to support mobile device registration and management: enterpriseenrollment.<domain> to enterpriseenrollment.manage.microsoft.com and enterpriseregistration.<domain> to enterpriseregistration.windows.net.

10. Click Add DNS records.
11. If prompted, click Connect to authorize Microsoft to update your registrar’s DNS settings.
12. Click Done to exit the wizard or View all domains to go back to the Domains page if you need to add more domains.

You can continue adding as many domains as you need (up to the tenant maximum of 900 domains).

Adding a domain deep dive

To review alternative steps and more information about the domain addition process, see https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain.

Managing DNS records manually

If you’ve opted to manage DNS records manually, you may need to go back to the Microsoft 365 admin center and view the settings. To do this, you can navigate to the Domains page in the Microsoft 365 admin center, select your domain, and then select Manage DNS:

Figure 1.12 – Managing DNS settings for a domain

On the Connect domain page, click More options to expand the options, and then select Add your own DNS records. From here, you can view the specific DNS settings necessary per service by record type. You can also download a CSV file or a zone file that can be uploaded to your own DNS server.

Figure 1.13 – Viewing DNS settings

The CSV output is formatted as columns, while the zone file output is formatted for use with standard DNS services and can be imported or appended to BIND or Microsoft DNS server zone files.

Configuring a default domain

After adding a domain, Microsoft 365 automatically sets that first custom domain as the default domain, which will get used when creating new users. However, if you have additional domains, you may choose to select a different domain to be used as the default domain when creating objects.

To manage which domain will be set as your primary domain, select the domain from the Domains page and then click Set as default to update the setting:

Figure 1.14 – Setting the default domain

The default domain will be selected automatically when creating cloud-based users and groups.

Custom domains and synchronization

When creating new cloud-based objects, you can select from any of the domains available in your tenant. However, when synchronizing from an on-premises directory, objects will be configured with the same domain configured with the on-premises object. If the corresponding domain hasn’t been verified in the tenant, synchronized objects will be set to use the tenant-managed domain.

Next, we’ll look at core organizational settings in a tenant.