After signing up for Office 365, the only domain associated with your account is the onmicrosoft.com subdomain chosen during registration, such as contoso.onmicrosoft.com. To enable single sign-on (SSO) to Azure AD and Office 365, you should have another domain added to the environment.

If you already have added and verified such a domain, skip to step 2.

Tip:

Running the Azure AD Connect tool and following its prompts makes these required configuration changes automatically. The steps outlined here can be run manually if required.

  1. Add a federated domain to your account: Authenticate to Office 365 using the Connect-MsolService PowerShell cmdlet, and enter the same credentials used when authenticating to the Microsoft Online Services portal.

    • Add a new domain using Azure AD or Office 365 Admin Portals. See the following sections of the Microsoft documentation:

    • Add a new domain manually with PowerShell.

      Tip:

      You can load this and the other cmdlets described here by launching PowerShell from the Microsoft Azure Active Directory Module for Windows PowerShell desktop and Start menu shortcuts.

      1. To add a new domain, run the New-MsolDomain -Name <name> -Authentication Managed command.
      2. To get DNS verification records for the new domain, run the Get-MsolDomainVerificationDns -DomainName <name> command.
      3. To prove that you control the domain, use the output of the Get-MsolDomainVerificationDNS command to create a .txt record on the DNS server of the domain used in the previous step.
        Note:

        This server must be accessible over the Internet so that Microsoft servers can resolve and access them.

        The DNS record name should match the Domain Name and the DNS record value should be MS=<ms portion of the Label>.

        The following is an example from the Get-MsolDomainVerificationDNS command.


        Screen capture showing the PowerShell prompt with the results of the Get-MsolDomainVerificationDNS command
        Note:

        Creating a DNS record value can vary between different DNS host providers. For more information about adding your domain to Office 365, see Add a domain to Microsoft 365 in the Microsoft documentation.

        Example Values for Creating a Text Record
        Record Type Alias or hostname Destination or Points to Address TTL

        .txt

        @ or jkdoctest.com

        MS=ms60016396

        1 Hour

        MX

        @ or jkdoctest.com

        Ms60016396.msv1.invalid.outlook.com

        1 Hour
      4. To prove your control of the domain, run the Confirm-MsolDomain -DomainName <name> command.
  2. Complete the steps in Enabling federated authentication.
  3. Complete the steps in Configuring multiple domains.
  4. To verify that the domain settings are up to date and in effect, run the Get-MsolDomainFederationSettings -DomainName <name> command.
  5. To change domain settings after the domain is created and verified, run the Set-MsolDomainFederationSettings -DomainName command with extra arguments for the settings that you want to change.