Adding a Custom Domain to your Windows Azure AD

I recently created a new Windows Azure subscription trial, going though the Organizational route.

However, I made a mistake: I accepted the default name assigned to the directory, which happens to be the combination of the first and last name of the admin user I created.  Having that directory named as one user can be supremely confusing, and given that I was planning to use the new tenant for posts and samples…

Instead of starting from scratch and create a subscription with another name, I decided to be a bit more creative: I would associate to it a custom domain, confident that I would find a suitable one among all the domains I accumulated through the years.

The domain verification process is well documented, however I am a sucker for screenshots and MSDN is traditionally not crazy about it (they *SO* didn’t like the draft of walkthrough #1 and #3 when they first saw them ) hence I decided to snap few pics while I was going though the process, in case there’s more people with a thick visual cortex out there that could benefit from it.

First thing to do: head to the active directory tab, then click on the directory entry (here called “vittorio.bertocci”. I know, I know…).

Click on the Domains header.

I just created the tenant, hence the custom domains list is as white as the carpet of fallen petals tapestrying Redmond in these Spring days. Click on the “Add a custom domain” button.

Here you can specify the domain you want to use. I picked cloudidentity.net mostly because I keep it on GoDaddy, which happens to be one of the most popular providers out there.
Note: here I am happily ignoring the instructions on setting up SSO, given that for the time being I have no intention of setting up an ADFS2.0 instance for this (though I eventually just might).

Once typed your domain name, hit Add.

So far nothing of relevance happened yet. AAD now knows about your intention of using cloudidentity.net, but still has no idea (anthropomorphising much?) of if you are the rightful owner of the domain. That’s the job of the next step. Click on the right arrow on the lower right corner.

We get to the verification page. Here the portal gives you few coordinates (BTW, if you are curious about what a TXT record is see here) you are supposed to add to the DNS record of your domain; the idea is that only the legitimate owner of the domain has access to its records, hence if you are able to add that info and AAD finds that in place once you hit Verify, you will have proven that the domain is yours to use. If you click on the instructions link you’ll get to a very helpful page giving you step by step instructions (but no screenshots ).

So, here I opened a new browser window and headed to godaddy.

After having signed in and clicked on My Account I expanded the list of domains.

Once located the entry for cloudidentity.net, I launched the editor with the Launch button on its right. Here I looked up the Domain Manager link, and clicked on it.

Here you can edit various DNS records: we are especially interested in TXT ones. Click on quick add.

Enter in Host and TXT Value the info you got in the verification dialog in the Windows Azure portal, then scroll all the way to the bottom of the page and save.

Your TXT record is now up! ALT+TAB your way back to the portal and hit Verify.

Ta dah! The domain is verified! Hit the OK button on the lower right.

The list of domains now include both the default 3-level one and the new entry for cloudidentity.net.

Want to see if it works? Easy!

Go to the Users section of the portal and create a new user.

In the username domain dropdown you can now pick the new domain, which is pretty neat.

Just for fun I created the user in the global admin role, then I headed to Visual Studio, created a new MVC project and launched the ASP.NET tool for Windows Azure AD (yes, it still works even with Windows Azure AD GA, tho the tool itself is still in preview and there are interesting caveats I’ll spell out in the next days).

Here, as tenant identifier I entered the custom domain:

once prompted by the AAL dialog I entered the new user’s credentials on the new domain:

The tool informed that the app was successfully configured and provisioned. I hit F5 and…

Ta dah! From 3-level defaults to vanity domains in literally minutes. Pretty cool