Custom domain name management in Azure Active Directory

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

A domain name is a crucial component of the identifier for resources in many Azure Active Directory (Azure AD) instances, which is a component of Microsoft Entra: it is a part of a user’s user name or email address, a component of a group’s address, and on occasion, a component of an application’s app ID URI. A domain name controlled by the Azure AD organization (also known as a tenant) that houses the resource may be included in an Azure AD resource. Domains in Azure AD can only be managed by a Global Administrator.

Set the primary domain name for your Azure AD organization.

When your company is first established, the first domain name—for example, “xyz.onmicrosoft.com”—serves as both the principal and administrative domain names. When a new user is created, their principal domain is automatically assigned as their domain name. An administrator’s ability to quickly add new members to a portal is streamlined by setting a primary domain name.

Any confirmed custom domain that isn’t federated can be used as your organization’s new principal domain name. Existing users’ user names won’t change if your company changes its primary domain.

Enhance your Azure AD organization with custom domain names. –  Up to 5000 managed domain names can be added. You can add up to 2500 domain names in each organization if you’re using on-premises Active Directory to configure all of your domains for federation.

Create subdomains for a custom domain.

You must first add and validate the root domain, such as xyz.com if you wish to add a subdomain name to your company like “europe.contoso.com”. Azure AD automatically verifies the subdomain. Refresh the domain list in the browser to see if the subdomain you added is verified.

You can check the subdomain europe.contoso.com in another Azure AD organization if you have already added a contoso.com domain to one of them. You are prompted to add a TXT record in the DNS hosting provider when adding the subdomain.

What to do if you switch your custom domain name’s DNS registrar

There are no additional Azure AD configuration activities if the DNS registrars are changed. The domain name can continue to be used normally with Azure AD. Consult the documentation for those services if you use your custom domain name with Microsoft 365, Intune, or other services that rely on custom domain names in Azure AD.

Remove a custom domain

If your business no longer utilizes a particular custom domain name or if you need to use it with another Azure AD organization, you can remove it from Azure AD.

You must first make sure that none of your organization’s resources rely on the domain name in order to delete a custom domain name. An organization’s domain name cannot be removed if:

  • Everyone who uses the system has a user name, email address, or proxy address that contains the domain name.
  • Any organization can have an email or proxy address with the domain name.
  • The domain name is part of the app ID URI for every application in your Azure AD.

Before you may delete the custom domain name, any such resource in your Azure AD organization must first be changed or deleted.

Note:-  Use a Global Administrator account based on either the default domain (xyz.com) or another custom domain to delete the custom domain (mydomainname.com).

Delete-by-Force option

Using Microsoft Graph API or the Azure AD Admin Centre, you can ForceDelete a domain name. These settings update all references from the custom domain name, such as “user@xyz.com,” to the initial default domain name, such as “user@xyz.onmicrosoft.com,” using an asynchronous operation.

Make sure there are no more than 1000 references to the domain name before calling ForceDelete in the Azure portal, and update or delete any references in the Exchange Admin Centre where Exchange is the provisioning service. Distributed lists and Exchange Mail-Enabled Security Groups fall under this category. See Removing mail-enabled security groups for further details. Additionally, the ForceDelete action will fail if either of the following conditions exists:

  • Using the Microsoft 365 domain subscription services, you bought a domain.
  • As a partner, you manage on another client organization’s behalf.

As part of the ForceDelete operation, the following procedures are carried out:

  • UPN, EmailAddress, and ProxyAddress of users having references to the custom domain name are changed to the original default domain name.
  • Returns the original default domain name for groups whose EmailAddress contains references to the custom domain name.
  • Identifier Uris for applications that make use of a custom domain name is changed to the original default domain name.

Returning an error when

  • More than 1000 objects need to have their names changed.

A multi-tenant app is one of the programs that will get a new name.

Professional Labs is the Best Cloud Managed Services Provider in GCC, for more details contact

Contact Us | Professional labs (prolabsit.com)