Hello @Sean Bryceland,
Thank you for posting your query on Microsoft Q&A.
Based on the information provided, it appears you are attempting to verify a publisher domain for an application on your Entra tenant via the microsoft-identity-association.json
method. You are consistently receiving the error message "Verification of publisher domain failed. Unable to connect to https://<DOMAIN>/.well-known/microsoft-identity-association".
I understand that you have not verified the TXT record of your domain in the Entra tenant where your application is created because the domain is already verified in another Entra tenant.
Your setup includes:
- A main Entra tenant where your domain is verified with TXT and MX records.
- A child tenant where you have created your application, but you wish to use the same publisher domain registered in your main tenant.
Here are the answers to your queries:
- Is this configuration not allowed, or is there another technical reason blocking the verification? (Please note we have confirmed the content-type header is correct and there are no redirections in place at https://<DOMAIN>/.well-known/microsoft-identity-association.) Answer: No, this configuration is not allowed. To use a domain as your publisher domain for an app registration, the domain must be verified in the same directory (tenant) where the application is created.
- If we wish to use our top-level domain <DOMAIN> as the publisher domain for app registrations, does that mean all apps must live in our main tenant? Answer: Yes, if you wish to use your main domain as the publisher domain for your app registration applications, all applications must be created in your main tenant to use the same domain as the publisher domain.
Please refer the below document for more information on Publisher domain.
Configure an app's publisher domain
Hope this includes all the information that you were looking for.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.