Wednesday, October 30, 2019

Assign and verify Microsoft Azure AD custom domain using Azure App Service Domains

10 minutes to read.


Have you ever heard of the word Doppelganger? It means ghostly double or counterpart of living person. There is theory that says, In today’s world there are 7 people who look similar to you. There are 6.4 billions basepairs in Human DNA. So I don’t trust this theory. However humans made sure that when it comes to internet world, there is one thing always unique – domain names. Domain names are very critical and there have been many famous domain name battles on uniqueness. One of the famous domain name battle was “Microsoft vs. MikeRoweSoft”. What? You never heard of it? Go search the internet.

Domain names can make or break an identify for your business. Custom domain names are inevitable in today’s world. If you want to be successful with your business/ website then custom domain name is a must. Microsoft Azure services also need custom domain names so that instance of Microsoft Azure services names can be aligned with your business / company names.

Azure AD is central to any Microsoft Azure based environment. All subscriptions belong to Azure AD and Azure subscriptions related identity management is also managed through Azure AD. Any Azure AD created will always have form as “”. So when you create a user in Azure AD the FQDN of Azure AD user will be “” Example I have an Azure Active Directory named “” then user “kunal” will have FQDN as “”. This is definitely not a user friendly name. If I change it to then it appeals a lot.

So custom domain for Azure AD is good to have thing!

Best thing is you DON’T have to go for external domain registrars/ providers like GoDaddy, HostGator, Bluehost etc. Microsoft Azure provides domain names through Azure App Service domains and you can use it anywhere including Azure AD.

Let’s go!

Relationship in Domains Names, DNS Records, DNS Zones and equivalent Microsoft Azure services

This is important to know aspects such as Domain Names, DNS Zones and DNS Records concepts in general and in Microsoft Azure platform. Refer below important diagram.

Domain names are provided by domain name registrars. Owning the domain names gives you right to control the DNS hierarchy. These purchased domain names are hosted on DNS names servers in terms of DNS Records. The domain registrar has their own name servers or they also allow you to specify your own/ preferred name servers. You host the domain names on name servers as DNS Records like A records, CName record, Txt record and so on. The combination of Names servers and DNS records is called as DNS Zones.
For purchasing domain names Azure provides “Azure App Service domain” and for DNS Zones Azure provides service called as “Azure DNS”.

Note – When we create Azure App service domain, the corresponding DNS zone is automatically created. Both domain and DNS zone will be created in the same resource group.

What is role of all Azure services being used in this scenario?

We are going to use Azure AD, Azure App Service Domains and Azure DNS in this blog post for configuring the custom domain for Azure AD. To avoid the confusion let us understand the intent of these services and relationships between them.

Azure AD
This PaaS version of Active Directory. It can even be sync with your on premises existing Active Directory. Azure AD always get default domain suffix as “”. So complete domain will be “”. Enterprise always like to have domain representing their company names and hence is not so appealing. Enterprise want “” assigned to Azure AD. Therefore Azure AD generally needs custom domain to be attached.

Azure App Service Domain
This has nothing to do with Azure App Service default domain “”. If you create Azure web app as “” then for your customer you may want the URL of your app as “”. So in general scenario you will go to domain registrar, purchase domain “” and then assign CNAME to “”.
When you purchase domain from domain registrar then you have to manage domain by using their own portal/ management console. Plus billing also will be separate than Azure App Service web app billing.

If you use Azure App Service domain to get “” instead of domain registrar domain then your billing will be part of the Azure itself. So App service domain is domain name purchase service on Azure. The domains purchased through App Service domain can be used anywhere like on premises hosted web app, Azure hosted APIs, Azure storage, Azure CDN, AWS hosted apps, GCP hosted Apps and so on. In our case we will use it for Azure AD.

Note – You can use Azure App Service Domain without use of Azure DNS service.

Azure DNS
Azure DNS is DNS zone service on Azure where you get name servers to host your domain through DNS records. This does not necessarily need domain names purchased through App Service domains. If you have purchased domain name from 3rd party domain registrar then you can host that domain name using Azure DNS service or DNS provided by 3rd party. Similarly App service domains can either be hosted on Azure DNS or 3rd party DNS service.
In our case we are using App Service domains and Azure DNS hand in hand instead of using 3rd party services.

Note – You can use Azure DNS for hosting 3rd party purchased domain names also. Not necessarily Azure App Service Domains.

Summary -
Azure DNS and App Service domains are two different services and can be used independently based on the scenario. In our case we could have achieved custom domain name mapping to Azure Ad in below ways also –
1.      Purchase domain from 3rd party use Azure DNS and assign domain to Azure AD
2.      Purchase domain from App Service domain, use 3rd party DNS and assign domain to Azure AD
3.      Purchase domain from 3rd party and use 3rd DNS only and assign domain to Azure AD.
4.    Or easy way - Purchase domain from Azure App service, use Azure DNS and assign to Azure AD – we are doing this.

Create Azure AD

This step is not necessary for you if you already have an Azure AD created and you intend to assign custom domain for it. In case you want to try custom domain before you assign to your production Azure Ad then you can use this step to create a sample Azure AD instance on Azure. Click on Create a Resource -> Identity -> Azure Active Directory option as shown below –

Provide details like below and create the directory.

Once the directory is created you can change default working directory as shown. As you can observe the name of directory created has “” shared domain. So FQDN is

Azure App Service Domains

Azure App Service Domains are really awesome and simplifies lot of things for you. Best thing I love about Azure App service domain is you always pay flat charge irrespective of name of the domain. There can be some domains which are premium charges from domain providers however for Azure App Service Domains the charges are always going to be the same. As of now Azure App Service domain support extensions as com, net,, org, nl, .in, biz,, Azure App service do provide “privacy protection” except for those extensions who do not support privacy like, etc. Awesome thing is “Privacy Protection” is FREE of cost. It supports auto-renew capability and you can cancel the domain in 5 days without any charges. Internally it uses Azure DNS service which simplifies the DNS management a lot.

Let us create one Azure App Service Domain called as “”.

First select the Azure AD tenant under which you have Azure subscription so that we can create Azure App Service domain. The new created Azure AD in above step – do not have any Azure subscription attached to it. Therefore change the Azure AD tenant to one where we have Azure subscription attached. You can use “Directory + Subscription” filter option of Azure portal to change the Azure AD directory.
Click on Create a resource. In search box type “App Service Domain”. You should see below screen –

Click on Create and then provide the required information as shown below and again click on Create.

After the domain creation completes you can observe that same resource group now has the domain name we created in Azure App service domain plus the associated DNS Zone to configure the DNS records for the purchased domain.

If I go inside the Azure DNS Zone named as “” you can view the name servers and existing DNS records provided by Azure DNS zone. Under this Azure DNS Zone we will need to add DNS record for our custom domain create for mapping to Azure AD instance.

Add custom domain name to Azure AD tenant

Now we have our custom domain ready using Azure App Service domains and associated zone using Azure DNS. Let us assign the custom domain name to our Azure AD tenant.
Open the desired Azure AD tenant. In our case it is Select the option “Custom domain names”. This shows only the original domain name of our Azure AD tenant. Now click on “Add custom domain” button. Provide our custom domain name we created through Azure App Service domain and then click finally on “Add Domain”.

Verify Azure AD tenant custom domain

The next step window automatically appears and it provides a button to verify the identify of the custom domain attached. Go ahead and click on “Verify”.

You should land on error –

“Failed to verify domain”.

“Could not find the DNS record for this domain. DNS changes may take up to 72 hours to propagate. Please try again later”.

If you have observed above screenshot fully then there is important message displayed at the top –

“To use with your Azure AD, create a new TXT record with your domain name registrar using the info below”.

For our case, domain registrar is Azure App Service domain and associated Azure DNS zone. We did not add the TXT record and hence the failure in Azure AD custom domain verification. So go back to Azure DNS Zone. Click on button “+ Record Set”. Provide the details from Verify screen shown above to Record set window as shown below –

In TTL we have value as 3600 which is in seconds. Therefore we configured 1 hours TTL in “Add Record Set” window. After the TXT record set is added we should have now newly added record in DNS zone as shown below –

With this let’s go back to Azure AD and verify the custom domain assignment again. Now verification should be successful as shown below. Then click on Make Primary to make the custom domain as primary domain for Azure AD tenant.


And that’s it! Hope this article has given step by step guidance on how you can assign custom domain to Azure AD tenant using Azure App Service domains and get it verified.
Happy Verifying!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Special Credits

Thanks to Scott Hoag for making me learn this awesome trick of using Azure App Service domains and Azure DNS to assign custom domain to Azure AD. I learned this during Migration OpenHack from him. Entire Migration OpenHack is designed by him and he is really awesome. You can follow him on -

Thanks to Vikram Pendse for encouraging to write the relationship and roles of different azure services being used in this guide. You can follow him to on -


  1. can I create custom domain in my free az subscription .It say in last that it will charge 11 us doller by

    1. Refer to pricing page - Where it mentions about pricing for Azure app service domain. Free Azure subscription may not allow to purchase domain or it may charge directly to your credit card. Check out!