This post is part of a series, for the series contents see:
To setup a custom domain in Azure AD there were a couple of basic things I needed to get out of the way first:
- I needed to own a domain to add
- And, I needed somewhere to host that domain
Since this is all about Azure then the solution to point two was easy: I decided to host my domain in Azure DNS. As an added bonus it’s nice and cheap, literally pence per month.
Add a Zone to Azure DNS
Adding a domain into Azure DNS is a simple one-liner (you need to specify a resource group so I stuck it into my hub resource group from the Azure IaaS Lab series):
#Login to Resource Manager Login-AzureRmAccount $RGName = "hub-rg" New-AzureRmDnsZone -Name irankon.tk -ResourceGroupName $RGName
Then, so that I knew the correct nameservers to tell my domain registrar I ran this simple “get” cmdlet:
$RGName = "hub-rg" Get-AzureRmDnsZone -Name irankon.tk -ResourceGroupName $RGName
The output of this command gave me the following nameservers to use:
Setup a Free Domain
Buying your own domain name is generally cheap enough, especially if you stay away from .com domains and choose one of the more obscure suffixes. But no matter how cheap it is, I’m cheaper! This is a test lab so I’ve got no interest in using my hard earned cash for it which lead me to www.freenom.com.
It turns out that there are a few countries out there that allow people and small businesses to register domain names with their country code for free and sites like freenom.com can facilitate that. I decided to go for irankon.tk and benefit from the kindness of the good people of Tokelau in the South Pacific (see here for details).
First up I went to good old outlook.com and set myself up with a free test account:
Then, using that account, I registered with freenom to set myself up with irankon.tk:
Once I’d completed the registration process the next step was to tell the registrar (freenom) that I wanted to host that zone from Azure DNS by specifying the name servers I got from my “get” cmdlet previously:
And that was all that was needed. It took about half an hour for everything to update and the SOA record to reflect what I wanted, but it got there eventually and I was able to check with a simple nslookup:
Verifying My Azure AD Custom Domain
In the previous post, when I added my custom domain to Azure AD, I left it in an unverified state so now that I’d sorted out my domain and DNS hosting I needed to correct that.
Anyone who’s had to add a custom domain into O365 before will be familiar with this process but essentially it boils down to this:
- Before you can start using a custom domain you need to prove that you own it. Otherwise we could all add any old domain to our setup without permission (such as someone adding “bbc.co.uk”, for example).
- To do this, Microsoft will generate a code and ask you to add it to your DNS zone as a TXT record.
- This is then used to verify that you own the domain as, unless you’ve been hacked, under normal circumstances the only person with the power to add a TXT record to a domain’s DNS zone file should be the owner of that domain.
Well in my case I do own irankon.tk and I also have control of DNS via Azure DNS.
So, in the Azure portal I browsed to AAD and clicked the verify button to kick off the whole process:
A screen then popped up with instructions for the TXT record I needed to add into my DNS zone in order to prove that I own it:
At this point I left the screen open and added the record to DNS with the following PowerShell (change the TXT record value to whatever is appropriate for you):
$RGName = "hub-rg" $Records = @() $Records += New-AzureRmDnsRecordConfig -Value "MS=ms00000000" $RecordSet = New-AzureRmDnsRecordSet ` -Name "@" ` -RecordType TXT ` -ResourceGroupName $RGName ` -TTL 3600 -ZoneName "irankon.tk" ` -DnsRecords $Records
Then, once the record and had been added, I simply click the “Verify” button to complete the whole process.