Skip to Content
IdentityDomain ManagementAdd Domain

Add Domain

Add a new custom domain to your Microsoft 365 tenant. Follow the step-by-step process to register, verify ownership, and configure DNS records for use with M365 services including Exchange Online, SharePoint, and Teams.

Adding a Domain

Click Add Domain and follow these steps:

Step 1: Enter Domain Name

Enter the domain you want to add (e.g., contoso.com). Subdomains like mail.contoso.com must be added separately.

Step 2: Verify Ownership

Prove you own the domain by adding a TXT record to your DNS:

TXT Record: MS=ms12345678
Host: @ (or contoso.com)
TTL: 3600

Step 3: Configure DNS Records

Add the required DNS records for M365 services (MX, CNAME, TXT for SPF/DKIM/DMARC). See the Required DNS Records section below for details.

Step 4: Verify and Activate

Microsoft checks DNS records (may take up to 72 hours for propagation). Once verified, the domain is ready for use.

Note: DNS propagation time varies by registrar. Most changes take effect within a few hours, but allow up to 72 hours for full propagation.

Domain List Columns

ColumnDescription
Domain NameThe domain (e.g., contoso.com)
StatusVerified, Pending, or Failed
TypeManaged (verified) or Initial (*.onmicrosoft.com)
DefaultWhether this is the default for new users
CapabilitiesEmail, SharePoint, Teams, etc.
UsersNumber of users with this domain

Required DNS Records

MX Record (Email)

Routes email to Exchange Online:

Host: @
Points to: contoso-com.mail.protection.outlook.com
Priority: 0

Autodiscover CNAME

Enables automatic Outlook configuration:

Host: autodiscover
Points to: autodiscover.outlook.com

SPF Record

Prevents email spoofing:

Type: TXT
Host: @
Value: v=spf1 include:spf.protection.outlook.com -all

DKIM Records

Cryptographic email signing:

Host: selector1._domainkey
Points to: selector1-contoso-com._domainkey.contoso.onmicrosoft.com

Host: selector2._domainkey
Points to: selector2-contoso-com._domainkey.contoso.onmicrosoft.com

DMARC Record

Policy for handling failed authentication:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@contoso.com

Teams/Skype for Business Records

For Teams federation and SIP:

SRV: _sipfederationtls._tcp -> sipfed.online.lync.com (Port 5061)
SRV: _sip._tls -> sipdir.online.lync.com (Port 443)
CNAME: sip -> sipdir.online.lync.com
CNAME: lyncdiscover -> webdir.online.lync.com

Domain Types

TypeDescriptionExample
Initial DomainThe *.onmicrosoft.com domain created with your tenant. Cannot be removed.contoso.onmicrosoft.com
Managed DomainCustom domain you have added and verified. DNS managed externally.contoso.com
Federated DomainDomain configured for federation with on-premises AD FS or third-party IdP.Authentication handled externally
Password Hash SyncDomain with hybrid identity using Azure AD Connect.Password hashes synced from on-premises

Default Domain

The default domain is used when creating new users without specifying a domain:

  • New users get UPN suffix of the default domain
  • Only verified domains can be set as default
  • The initial *.onmicrosoft.com domain cannot be default if custom domains exist
  • Change default by clicking Set as Default on any verified domain

Domain Health

Monitor DNS configuration status for each domain:

RecordStatus Options
MXConfigured / Missing
SPFValid / Invalid / Missing
DKIMEnabled / Not enabled
DMARCConfigured / Missing

Warning: Missing DKIM and DMARC records reduce email deliverability and leave your domain vulnerable to spoofing attacks. Configure all email authentication records.

Removing a Domain

Before removing a domain, you must complete these prerequisites:

  1. Change UPN suffix of all users from this domain
  2. Remove all email addresses using this domain
  3. Delete or rename all groups using this domain
  4. Remove all SharePoint site collections using this domain
  5. Delete the domain from M365

Warning: The initial *.onmicrosoft.com domain cannot be removed. It will always remain associated with your tenant.

Graph API Endpoints

  • GET /domains — List all domains
  • POST /domains — Add a new domain
  • POST /domains/[id]/verify — Verify domain ownership
  • GET /domains/[id]/serviceConfigurationRecords — Get required DNS records
  • DELETE /domains/[id] — Remove a domain

API Reference

  • GET /api/identity/domains — List all domains in tenant
  • POST /api/identity/domains — Add new domain
  • POST /api/identity/domains/:id/verify — Verify domain ownership
  • GET /api/identity/domains/:id/dns-records — Get required DNS records
  • GET /api/identity/domains/:id/health — Check DNS configuration health
Last updated on
Deleted UsersDomains