Domain and Tenant Configuration in Microsoft Entra ID

Domain and Tenant Configuration in Microsoft Entra ID – Complete Guide for SC-300

Domain and Tenant Configuration in Microsoft Entra ID

Why Is Domain and Tenant Configuration Important?

Domain and tenant configuration is one of the foundational building blocks of identity management in Microsoft Entra ID (formerly Azure Active Directory). Every organization that uses Microsoft cloud services operates within a tenant, and the domains associated with that tenant determine how users sign in, how email is routed, and how the organization is represented across Microsoft 365 and Azure services.

Without proper domain and tenant configuration:
- Users would be forced to use the default onmicrosoft.com domain, which looks unprofessional and is harder to remember.
- Federation and hybrid identity scenarios would not function correctly.
- Email routing, single sign-on (SSO), and multi-tenant collaboration would be impaired.
- Security policies and compliance boundaries could be misconfigured.

For the SC-300 (Microsoft Identity and Access Administrator) exam, understanding domain and tenant configuration is critical because it falls under the Implement and Manage User Identities domain, which constitutes a significant portion of the exam.

What Is a Tenant?

A tenant in Microsoft Entra ID is a dedicated instance of the directory service that an organization receives when it signs up for a Microsoft cloud service such as Azure, Microsoft 365, or Dynamics 365. A tenant:

- Represents a single organization.
- Has a globally unique identifier (Tenant ID / Directory ID).
- Contains all the users, groups, applications, and configuration for that organization.
- Is assigned a default domain in the format yourtenant.onmicrosoft.com.
- Serves as a security and administrative boundary.

Each tenant is completely isolated from other tenants, meaning data, configurations, and policies do not leak between tenants unless explicitly configured through cross-tenant collaboration features.

What Is a Custom Domain?

A custom domain is a domain name that your organization owns (e.g., contoso.com) and adds to Microsoft Entra ID to replace or supplement the default onmicrosoft.com domain. Custom domains allow users to sign in with familiar email addresses like john@contoso.com instead of john@contoso.onmicrosoft.com.

How Domain and Tenant Configuration Works

1. Creating a Tenant

When you create a new Microsoft Entra ID tenant:
- You specify a tenant name, which becomes the tenantname.onmicrosoft.com default domain.
- A Global Administrator account is created automatically.
- The tenant is provisioned in a specific geographic region based on the country/region you selected.
- The tenant type can be either Microsoft Entra ID (standard) or Azure AD B2C (for customer-facing identity scenarios).

2. Adding a Custom Domain

To add a custom domain to your tenant, follow these steps:

Step 1: Navigate to Custom Domain Names
Go to the Microsoft Entra admin center → Settings → Domain names → Click Add custom domain.

Step 2: Enter the Domain Name
Type your custom domain (e.g., contoso.com). Subdomains like sales.contoso.com can also be added, but the parent domain must be verified first.

Step 3: Verify Domain Ownership
Microsoft Entra ID provides a DNS record (either a TXT or MX record) that must be added to your domain's DNS zone at your domain registrar or DNS hosting provider.

- TXT Record (Recommended): A TXT record with a specific value (e.g., MS=ms12345678) is added to the DNS zone.
- MX Record (Alternative): An MX record pointing to a specific Microsoft address can also be used for verification.

Step 4: Verify
After adding the DNS record, click Verify in the Entra admin center. DNS propagation may take up to 72 hours, though it typically happens much faster.

Step 5: Set as Primary (Optional)
Once verified, you can set the custom domain as the primary domain. The primary domain is the default domain assigned to new users when they are created.

3. Domain States

Domains in Microsoft Entra ID can be in several states:

- Unverified: The domain has been added but DNS verification is pending.
- Verified: DNS verification is complete, and the domain is ready for use.
- Federated: The domain has been configured for federation with an identity provider (e.g., AD FS, PingFederate, or another SAML/WS-Fed provider).
- Managed: The domain uses cloud authentication (password hash sync, pass-through authentication, or cloud-only).

4. Federated vs. Managed Domains

- Managed domains handle authentication directly in Microsoft Entra ID using password hash synchronization (PHS) or pass-through authentication (PTA).
- Federated domains redirect authentication to an on-premises or third-party identity provider. When a user enters their UPN with a federated domain, Entra ID redirects them to the configured federation server.

You can convert a domain from federated to managed (and vice versa) using PowerShell or the Microsoft Entra admin center. This is a common scenario during migrations away from AD FS.

5. Tenant Properties and Configuration

Key tenant-level configurations include:

- Tenant Name and Technical Contact: Displayed in the tenant properties.
- Tenant ID (Directory ID): A GUID that uniquely identifies the tenant. Used in API calls, application registrations, and cross-tenant scenarios.
- Data Location: The geographic region where tenant data is stored. This is set at creation and generally cannot be changed.
- License Management: Assigning and managing licenses (e.g., Microsoft Entra ID P1, P2) at the tenant level.
- Tenant-wide Security Settings: Including security defaults, conditional access baseline policies, and user settings like whether users can register applications or consent to apps.

6. Multi-Tenant Considerations

Some organizations operate multiple tenants for various reasons (mergers, acquisitions, regulatory requirements). Key concepts include:

- Cross-tenant access settings: Control how users from one tenant can collaborate with another tenant.
- B2B collaboration: Guest users from external tenants can be invited into your tenant.
- Tenant restrictions: Prevent users from authenticating to unauthorized external tenants from your corporate network.
- Multi-tenant organizations: A newer feature allowing multiple tenants to be treated as a single logical organization with seamless user synchronization.

7. Deleting Custom Domains

Before you can remove a custom domain from your tenant, you must ensure no resources reference it. This includes:
- User UPNs and email addresses
- Group email addresses
- Application identifier URIs
- Any other objects using the domain

All references must be updated to the default onmicrosoft.com domain or another verified domain before deletion.

8. Administrative Roles Related to Domain and Tenant Configuration

- Global Administrator: Can perform all domain and tenant configuration tasks.
- Domain Name Administrator: Can manage (add, verify, and configure) domain names.
- Hybrid Identity Administrator: Can configure federation settings and domain federation.


Key Concepts to Remember for the SC-300 Exam

1. The default domain is always tenantname.onmicrosoft.com and cannot be deleted or changed.
2. DNS verification requires adding a TXT or MX record to your domain's DNS zone.
3. A domain can be federated (authentication redirected to an external IdP) or managed (authentication handled by Entra ID).
4. The primary domain is the default domain assigned to newly created users.
5. You cannot delete a custom domain that is still referenced by any object in the directory.
6. Each custom domain can only exist in one Entra ID tenant at a time globally.
7. Subdomains are automatically verified once the parent domain is verified.
8. Security defaults provide baseline security for tenants without Conditional Access and include MFA for all users and blocking legacy authentication.
9. Tenant restrictions are enforced via proxy headers and control which external tenants users can authenticate to.
10. Converting a domain from federated to managed requires careful planning to avoid user lockout.


Exam Tips: Answering Questions on Domain and Tenant Configuration in Microsoft Entra ID

Tip 1: Know the DNS Verification Process
Expect questions about which DNS record types are used to verify a domain. Remember: TXT records are recommended, and MX records are an alternative. You do not use CNAME or A records for domain verification in Entra ID.

Tip 2: Understand the Difference Between Federated and Managed Domains
Questions may present a scenario where authentication is failing or needs to be changed. Know that federated domains redirect authentication to an external IdP, while managed domains authenticate directly in the cloud. Converting between them is done via PowerShell (e.g., Convert-MsolDomainToStandard or Convert-MsolDomainToFederated, or using newer Microsoft Graph PowerShell cmdlets).

Tip 3: Remember Domain Deletion Prerequisites
If a question asks about removing a custom domain, the correct answer will involve ensuring all references to the domain are removed first — user UPNs, group addresses, app URIs, etc.

Tip 4: One Domain Per Tenant Globally
A verified custom domain can exist in only one Microsoft Entra ID tenant at a time worldwide. If a question describes trying to add a domain that exists in another tenant, you must remove it from the other tenant first.

Tip 5: Know the Administrative Roles
Questions often test least-privilege principles. For domain management, the Domain Name Administrator role is sufficient; you do not need a Global Administrator for basic domain operations.

Tip 6: Primary Domain Behavior
When a new user is created without specifying a domain, the primary domain is used. Know how to set and change the primary domain.

Tip 7: Tenant Properties Are Mostly Immutable
The data residency location of a tenant is set at creation and generally cannot be changed afterward. If a question involves data sovereignty requirements, the tenant's region matters.

Tip 8: Security Defaults vs. Conditional Access
Security defaults and Conditional Access are mutually exclusive. If you enable Conditional Access policies, security defaults must be disabled. Questions may test whether a tenant should use security defaults (for smaller/simpler organizations) or Conditional Access (for granular control).

Tip 9: Subdomain Auto-Verification
If contoso.com is verified, then hr.contoso.com is automatically considered verified as a subdomain. This is a frequently tested nuance.

Tip 10: Cross-Tenant Scenarios
Know that cross-tenant access settings control B2B collaboration and B2B direct connect. Inbound settings control what external users can access in your tenant; outbound settings control what your users can access in external tenants. Tenant restrictions (v2) use authentication-plane enforcement to block sign-ins to unauthorized tenants.

Tip 11: Read Scenarios Carefully
Many domain and tenant questions are scenario-based. Pay close attention to whether the question is asking about a new tenant setup, a domain migration, a hybrid identity scenario, or a multi-tenant collaboration situation. Each context requires different configuration steps.

Tip 12: PowerShell and Microsoft Graph
Be familiar with the concepts behind using PowerShell (Microsoft Graph PowerShell SDK) and the Microsoft Graph API for tenant and domain management. While you may not need to write exact commands, understanding which tool performs which action is important for the exam.