Why adding all your domains into Azure AD is important

Ensuring all your domains are registered within your Azure AD tenant provides you with control over them and prevents their use in any other tenant, even if you don’t plan to use them for Azure AD based services.

Domains in Azure Active Directory are important as they can be used as part of the identifier for resources, whether that is as part of a user’s username or email address, or as part of a group or application.

At the time of writing you can have up to 5000 managed domains in a tenant, however this drops to 2500 if they all are configured for federation with an on-premises Active Directory.  Importantly, adding a domain (such as domain.com) into a tenant doesn’t prevent its subdomains (for example, sub.domain.com) from being registered in another tenant. Therefore it is important that after the root domain is added to a tenant that any subdomain(s) in use are also added.

After speaking with a large Educational organisation recently they had discovered that their student domain, which was a subdomain, had become attached in a separate Azure AD tenant. The IT staff had not done this so it was presumed  a student had activated an Azure AD based service for the first time and that created an unmanaged tenant and bound the subdomain to it.

As a result, users started using the incorrect tenant and it was not possible to use and manage the subdomain in the required tenant. The organisation was able to perform a takeover of the unmanaged directory by following the guidance available from Microsoft to regain control over the subdomain and use it within the managed directory.

This example highlights why it is important to register all domains and their subdomains, whilst you need to verify ownership of the root domain (using TXT or MX records) you do not need to do this for subdomains, making it easy and straightforward to add them.

About the author