App registration: Verification of publisher domain failed. Unable to connect

Question

Hi there,

We are trying to verify a new App registration in one of our Entra tenants, an I am experiencing issues verifying the Publisher domain for that app via the .well-known/microsoft-identity-association.json method.

I am consistently receiving the error message "Verification of publisher domain failed. Unable to connect to https://<DOMAIN>/.well-known/microsoft-identity-association"

I am not seeing any requests to our webserver to access this URL either. However, I can see attempts on another server if I try accessing a different domain.

Please note I cannot use the TXT record domain verification process as we our domain already registered on our main (a different) tenant.

Our setup is as follows:

• Main Entra Tennant - With a normal Entra DNS TXT record verified for our <DOMAIN> and used to manage our corporate directory. The app registration in question does not live here.
• Child Tennant - where we wish to create the App Registration but still use the same publisher domain registered to our main tenant.

So my questions are as follows:

1. Is this configuration not allowed or is there another technical reason blocking the verification. (Please note we have confirmed there conte-type header is correct and there are no redirections in place at https://<DOMAIN>/.well-known/microsoft-identity-association.
2. If we wish to use our top-level domain <DOMAIN> as the publisher domain for app registrations, does that mean all apps must live in our main tenant?

Answer 1

Hello @Sean Bryceland,

Thank you for posting your query on Microsoft Q&A.

Based on the information provided, it appears you are attempting to verify a publisher domain for an application on your Entra tenant via the microsoft-identity-association.json method. You are consistently receiving the error message "Verification of publisher domain failed. Unable to connect to https://<DOMAIN>/.well-known/microsoft-identity-association".

I understand that you have not verified the TXT record of your domain in the Entra tenant where your application is created because the domain is already verified in another Entra tenant.

Your setup includes:

1. A main Entra tenant where your domain is verified with TXT and MX records.
2. A child tenant where you have created your application, but you wish to use the same publisher domain registered in your main tenant.

Here are the answers to your queries:

1. Is this configuration not allowed, or is there another technical reason blocking the verification? (Please note we have confirmed the content-type header is correct and there are no redirections in place at https://<DOMAIN>/.well-known/microsoft-identity-association.) Answer: No, this configuration is not allowed. To use a domain as your publisher domain for an app registration, the domain must be verified in the same directory (tenant) where the application is created.
2. If we wish to use our top-level domain <DOMAIN> as the publisher domain for app registrations, does that mean all apps must live in our main tenant? Answer: Yes, if you wish to use your main domain as the publisher domain for your app registration applications, all applications must be created in your main tenant to use the same domain as the publisher domain.

Please refer the below document for more information on Publisher domain.

Configure an app's publisher domain

Hope this includes all the information that you were looking for.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.