I have an Azure account with a tenant that has a custom domain (hosted by a different domain provider). I want to have another 3rd party to host a Microsoft Exchange presence that has the same name as the custom domain on Azure. However, the 3rd party Exchange provider says I can't do this because it would create a second Active Directory of the same domain. So, how can I have an Azure presence (with a web server) and a 3rd party Exchange server use the same domain? Or, that's not the way it works?

Hi Michael, In this scenario, you would need to set up a split-brain DNS configuration. This allows you to use the same domain name for both your Azure web server and your 3rd party Exchange server, while still maintaining separate Active Directory instances. Here are the general steps to set up a split-brain DNS configuration: Create a new subdomain for your Azure web server, such as "web.yourdomain.com". Create a new DNS zone in Azure for the "web.yourdomain.com" subdomain. Add a DNS record to the "web.yourdomain.com" zone for your Azure web server's IP address. Configure your Azure web server to use the "web.yourdomain.com" subdomain for its web traffic. Set up a split-brain DNS configuration with your domain provider, so that requests for "yourdomain.com" are resolved to the Azure web server's IP address when coming from the public internet, but are resolved to the 3rd party Exchange server's IP address when coming from within your network. By setting up a split-brain DNS configuration, you can use the same domain name for both your Azure web server and your 3rd party Exchange server, while still maintaining separate Active Directory instances.

How to have a 3rd party host an Exchange email of the same name as an Azure AAD custom domain

Accepted answer

RevelinoB 2,780 Reputation points

2023-04-24T14:30:57.09+00:00
Hi Michael, In this scenario, you would need to set up a split-brain DNS configuration. This allows you to use the same domain name for both your Azure web server and your 3rd party Exchange server, while still maintaining separate Active Directory instances. Here are the general steps to set up a split-brain DNS configuration:

Create a new subdomain for your Azure web server, such as "web.yourdomain.com".

Create a new DNS zone in Azure for the "web.yourdomain.com" subdomain.

Add a DNS record to the "web.yourdomain.com" zone for your Azure web server's IP address.

Configure your Azure web server to use the "web.yourdomain.com" subdomain for its web traffic.

Set up a split-brain DNS configuration with your domain provider, so that requests for "yourdomain.com" are resolved to the Azure web server's IP address when coming from the public internet, but are resolved to the 3rd party Exchange server's IP address when coming from within your network. By setting up a split-brain DNS configuration, you can use the same domain name for both your Azure web server and your 3rd party Exchange server, while still maintaining separate Active Directory instances.
Please sign in to rate this answer.
Michael 81 Reputation points

2023-04-24T15:06:59.63+00:00

OK. I understand that. There is still only one AD that exists with the custom domain name but you direct traffic to different servers based on custom DNS records. I think I got that. So, maybe the problem I am having is that I set up my Azure instance incorrectly. If I open Azure and then Manage Tenants, I can see 2 Tenant Types that are of type AAD. One of them is an AAD of the domain name I'm trying to create an Exchange instance for. I just assumed that it was intended for me to create an AAD in my Azure instance with the name of my domain. That's where I publish my web apps, web api's, app registrations... Is that not the way I should do it? Should I use the default AAD that Azure creates "xxx.onmicrosoft.com " to publish all my app registrations and web api's and web apps instead and then use the DNS records to modify where traffic goes? So, there can only be one AAD of one name that is publicly exposed? Michael

RevelinoB 2,780 Reputation points

2023-04-24T15:24:19.16+00:00

Yes, you should use the default AAD that Azure creates "xxx.onmicrosoft.com" to publish all your app registrations and web APIs and web apps instead of creating a new AAD with your custom domain name. When you create an Azure AD tenant, it is automatically associated with a default domain name in the format of "xxx.onmicrosoft.com". You can use this default domain name to create your app registrations and web APIs. To use your custom domain name, you can add it as a verified domain in the Azure AD portal and then create DNS records to verify the domain. Once the domain is verified, you can use it to sign in to Azure AD and to access Azure resources. So, to summarize, you should use the default AAD that Azure creates "xxx.onmicrosoft.com" to publish all your app registrations and web APIs and web apps and use the DNS records to modify where traffic goes based on your custom domain name.

Michael 81 Reputation points

2023-04-24T16:02:36.1133333+00:00

Illuminating. Within AAD, there's "Custom Domain Names". Adding a custom domain name is different than going to "Manage Tenants" and adding an AD with the same domain name (ie, don't do this because it will prevent you using a 3rd party managing your Exchange server). And, if there's a 3rd party managing your Exchange Server and the AD, I guess you can't use this same AD for Users in your Enterprise apps to control access. You'll need to use the default AD in Azure for this. Seems like a bit of redundancy. Is there a way to get the default Azure tenant to point to the AD that your 3rd party Exchange Server has created?

RevelinoB 2,780 Reputation points

2023-04-24T18:52:33.8666667+00:00

Hi Michael, In my perception adding a custom domain name in Azure Active Directory (AAD) allows you to use your own domain name for signing in to Azure AD and accessing Microsoft cloud services. However, this is different from adding an AD as a tenant in the "Manage Tenants" section, which allows you to create a separate directory for managing users and resources. If you have a third-party managing your Exchange Server and AD, and you want to control access to your enterprise apps using Azure AD, you can still use the default Azure AD tenant. To do this, you need to set up a trust relationship between your third-party identity provider and Azure AD, which involves configuring claims-based authentication, setting up a relying party trust, and configuring authentication rules to map attributes between the identity providers. Once you have set up the trust relationship, you can use the default Azure AD tenant to manage access to your enterprise apps. This allows you to create user accounts in Azure AD, assign them to groups with specific access permissions, and configure multi-factor authentication and conditional access policies to secure your apps and data. While it may seem redundant to use both a custom domain name and a third-party AD, integrating these systems with federated authentication can provide a seamless user experience. This way, your users can use their existing credentials to access your enterprise apps without the need for a separate set of credentials in Azure AD. I hope this helps?

Michael 81 Reputation points

2023-04-24T20:21:00.34+00:00

This was a brilliant thread. I am very very grateful.
Sign in to comment

Share via

How to have a 3rd party host an Exchange email of the same name as an Azure AAD custom domain

0 additional answers