Manage Domains in Office 365 using PowerShell

In a previous blogpost I showed you how to create new domains in Office 365 using the Microsoft Online Portal. You can do the same using PowerShell which can be much more interesting, especially for partner reselling Office 365 through the Cloud Solution Provider (CSP) program. If you want to know more about PowerShell, check my previous blog post Manage Office 365 with PowerShell.

Add a new domain

Adding a new domain in Windows Azure Active Directory can be broken down into three steps as we’ve seen in adding a domain using the Microsoft Online Portal:

  • Add and validate the actual domain;
  • Configure and validate DNS records (domain purpose);
  • Configure or add users;

These steps will be described in the following sections

Add and validate the actual domain

To add a new domain you can use the New-MsolDomain command. The –Name option is used to pass the domain name and the –Authentication option is used to pass the type of domain, which is either Managed or Federated. The latter is used in a federated environment with Directory Synchronization and ADFS, so in this example we use ‘Managed’:

New-MsolDomain –Authentication Managed –Name office365labs.nl

imageWhen the domain is entered into Office 365 it needs to be validated with the Get-MsolDomainVerificationDns command. This will return the DNS record you have to enter in public DNS for verification purposes. I prefer to use a TXT record (DnsTxtRecord) but an MX (DnsMXRecord) can be used as well.

Get-MsolDomainVerificationDns -DomainName office365labs.nl -Mode DnsTxtRecord

image

After adding the record to public DNS the new domain can be verified using the Confirm-MsolDomain command. Please take DNS replication time into account!

Confirm-MsolDomain –DomainName office365labs.nl

image

The domain is now added to Office 365 and (almost) ready for use.

Configure and validate DNS records (domain purpose)

The next step in the Microsoft Online Portal is to configure uses and the domain purpose, i.e. used with Exchange Online and Lync Online. Based on your selection the DNS records are shown which you have to configure.

When you check the Microsoft Online Portal at this point you’ll see that the new domain is validated, but needs some additional configuration. The status is Setup in progress (domain verified) as shown in the following figure.

image

Unfortunately it is not possible using PowerShell to configure the domain purpose so you have to use the Microsoft Online Portal (impossible to do if you have hundreds of domain, or when you’re a hosting company) or leave it this way.

Is this bad? Formally you don’t have a finalized domain setup and as such you most likely will be in an unsupported configuration. The domain purpose is configured on the domain, when you use the command Get-MsolDomain | select Name,capabilities in PowerShell the domain purpose is actually shown when the domain is configured in the Microsoft Online Portal:

image

The differences are clearly visible. The office365labs.nl domain is created using PowerShell, the inframan.nl domain was created using the Microsoft Online Portal (in a previous blog post, but without selecting Lync).

On the other hand, when you leave it this way the entire configure will work as expected, as long as you configure your public DNS with the correct entries.

The DNS records that need to be created are standard entries, with an exception of the MX record of the new domain. The domain name is part of the MX records, but the “.” in the domain name is replaced by a “-“, followed by mail.protection.outlook.com.

So, for Exchange Online you need the following public DNS entries:

MX Record office365labs-nl.mail.protection.outlook.com (priority 0)
Autodiscover autodiscover.outlook.com (CNAME)
Msoid clientconfig.microsoftonline-p.net (CNAME)
TXT v=spf1 include:spf.protection.outlook.com –all

And for Lync Online you need to create the following public DNS entries:

Sip sipdir.online.lync.com (CNAME)
Lyncdiscover webdir.online.lync.com (CNAME)

Furthermore, Lync Online needs the following Service Records in public DNS:

Service, Port, Weight, Priority, Target
_sip _tls 443 1 100 sipdir.online.lync.com
_sipfederationtls _tcp 5061 1 100 sipfed.online.lync.com

New domains in Exchange Online

When you’ve added a new domain in Azure Active Directory as described in the previous section, it is automatically added to Exchange Online as an ‘authoritative domain’. When you logon to Exchange Online with Remote PowerShell and use the Get-AcceptedDomain command the new domains will show up as shown in the following figure:
Exo-Domains
In an upcoming blogpost I’ll discuss managing Exchange Online using PowerShell in more detail.

Remove a Domain

To remove a domain from Azure Active Directory you can use the Remove-MsolDomain command with the -DomainName option and the -Force option to suppress the warning notification, for example:

Remove-MsolDomain -DomainName office365labs.nl -Force

Summary

You can use PowerShell with the Microsoft Online module to create additional domains in your Office 365 environment. Creating the new domains is easy and a matter of a few commands. The domain purpose is not configurable via PowerShell so you have to do this using the Microsoft Online Portal or omit this step.

I’ll continue to monitor developments here (I’m not that confident since this situation exists for a long time now, unfortunately) and when things improve I’ll update my blog post.

2 thoughts on “Manage Domains in Office 365 using PowerShell”

  1. It is actually possible to get rid of “Setup in progress (domain verified)”
    Goto the following ULR, replacing “domain.com” in the URL with the domain that has the “Setup in progress….” warning:
    https://portal.office.com/Admin/Default.aspx#@/Domains/ConfigureDomainWizard.aspx?domainName=domain.com&view=ServiceSelection

    Walk through the steps that are presented. When done, you will get a popup in the right top corner to complete your setup. If you click and that you can continue the wizard. It is required to press “finish” in the last step. Now the warning should be gone.

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s