You must have an admin account to add a domain and configure DNS for Microsoft 365.

To add a domain to Microsoft 365 and configure domain federation:

  1. In the Microsoft 365 Admin Center, go to Settings > Domains
  2. Click Add Domain.
  3. In the Enter a domain you own field, enter the name of your domain.
  4. Click Next.
  5. Choose a method to verify your ownership of the domain:
    • Use Domain Connect to let Microsoft verify the domain.
    • Add a TXT record to your domain's website using the values supplied by Microsoft.
    • Upload a text file to your website's top-level folder.
  6. Click Verify.
  7. Configure the DNS records on the domain registrar for other services.

    Do not make the new domain the primary domain for your Microsoft 365 account. Setting the new domain as the default domain causes an error when you use Set-MsolDomainAuthentication to set the domain as a federated domain.

    For more information, see Add a domain to Microsoft 365 in the Microsoft documentation.

    You've added your domain. Now you're ready to configure federation.
  8. At the PowerShell command line, enter Connect-MsolService.
    PowerShell initiates a connection to Azure and opens an embedded browser window.
  9. In the browser window, sign on to the Azure tenant with a Global Administrator account.
  10. Run the following commands in the Azure AD PowerShell.

    You can find the bolded values in the Microsoft 365 application configuration tab in PingOne for Enterprise.

    $dom = "<your domain name, such as>"
    $BrandName = "<The name of your organization, such as Example Inc.>"
    $ActiveLogOn = "<The Active Log On URI value from PingOne for Enterprise>"
    $LogOnURl = "<The Passive Log On URI value from PingOne for Enterprise>"
    $LogOffUrl = "<The Log Off URI value from PingOne for Enterprise>"
    $MyURI = "<The Issuer URI value from PingOne for Enterprise>"
    $Metadata = "<The Metadata Exchange URI value from PingOne for Enterprise>"
    $MySigningCert = "<The Signing Certificate text from PingOne for Enterprise in base64 format>"
    Set-MsolDomainAuthentication `
    -DomainName $dom `
    -FederationBrandName $BrandName `
    -Authentication Federated `
    -PassiveLogOnUri $LogonUrl `
    -SigningCertificate $MySigningCert `
    -IssuerUri $MyURI `
    -LogOffUri $LogOffUrl `
    -MetadataExchangeUri $Metadata `
    -ActiveLofOnUri $ActiveLogOn `

    When copying the base64-encoded signing certificate to enter into the MSOL cmdlet, make sure to remove any line breaks in the certificate text. Line breaks will cause errors when attempting to execute the commands.

  11. Use the following commands to confirm domain federation settings:
    • Get-MsolDomain: check the status of domain federation.
    • Set-MsolDomainAuthentication: change the authentication type for a given domain.

    For a complete list of commands, see MSOnline in the Microsoft documentation.