This post explains how to configure the DNS requirements to configure single sign-on (ADFS) or shared sign-on (synchronisation) in Azure AD (AAD) – you need to create a domain name in Azure AD and prove ownership of the domain to Microsoft.
Why Do You Need Matching Domain Names?
Imagine you have a “legacy” AD (LAD) running on one or more domain controllers called joeelway.com. If you have a user called Mary then her user name might be joeelway\Mary. On the Internet, we’re more likely to use a UPN (user principal name), and in Mary’s case that would be Mary@joeelway.com.
Let’s say that we create an Azure subscription called joeelwayazure. Any user that we create in there will be given a UPN with a suffix of joeelwayazure.onmicrosoft.com. For example, Mary would have Mary@joeelwayazure.onmicrosoft.com. This would be both confusing for Mary and for Azure because it doesn’t know that the two UPNs are actually for the same user.
If we want to configure single sign-on using Azure AD, use RemoteApp, or whatever, then we need to make sure that the UPN of the on-premise user account will match that of the in-cloud user account. And we can only accomplish this by creating a domain in AAD that matches the domain name of the LAD. So if my LAD domain name is joeelway.com then I need to make a domain in AAD called joeelway.com.
Create The Domain
Do the following:
1) Sign into the Azure management portal
2) Browse to Active Directory > Default Directory > Domains
3) Click Add A Custom Domain
4) Enter the name of the domain name. Check the “I plan to configure this domain …” box if you plan to use ADFS for single sign-on.
5) Click Add and then proceed to the next screen.
5) Note the verification details.
Verify (Prove Ownership Of) Your Domain
You can only use a domain in AAD if you own it. This prevents any Joe from using joeelway.com for the UPNs. You will need to sign into your domain registrar where you manage the DNS domain name (e.g. joeelway.com). In my case, that’s a company called Blacknight.
I logged in, browsed to the joeelway.com domain, and created a new TXT record using the details from the still-open verification screen in the management portal.
Now I can return to the Azure management portal, and click Verify. It can take a little time for the record (thanks to the fun of DNS) to be available so you can close the dialog in the management portal. The domain remains in an “Unverified” and unusable state. You can return to the domain, select it, and click Verify at a later time.
Tip: if you are in a lab scenario, you might have old TXT verification records that could prevent verification – make sure you delete these first.
With this done, you now have a verified domain ready for single or shared sign-on. Users can be created in your AAD default directory with a UPN suffix that matches your LAD domain name.
Question: what if your on-permises domain name is something like joeelway.local or joeelway.internal? You can’t host those domains on the Internet so you cannot verify them. I’ll deal with this in a later post.