![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 98%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 14.000000000000002%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Thank you for reaching out to Microsoft Q&A.
Domain verification for custom domain names in Azure AD (Microsoft Entra ID) can fail even when DNS records appear correct in public tools. This typically happens because Azure AD uses its own internal DNS resolvers and strict validation logic rather than relying purely on cached or third‑party DNS checkers. As a result, scenarios such as the domain being previously (or partially) associated with another tenant, TXT records not being reachable from authoritative name servers, TXT records created at an incorrect DNS level, DNS providers splitting or altering TXT values, or stale verification metadata cached on the Azure backend can cause verification to fail. In some cases, Microsoft verification queries may also be blocked or refused by the authoritative DNS servers, which explains why public tools show GREEN, but Azure AD still cannot validate ownership.
Refer below points to resolve this issue or this is the workaround
1. Check if the domain is already associated with any Entra ID tenant Even if the portal says the domain is not in use, verify it explicitly by checking whether any tenant ID is returned when the domain name is queried using Microsoft tools (for example, tenant‑lookup utilities). If a tenant ID is returned, the domain is already registered and must be removed from that tenant before it can be verified again.
2. Query TXT records directly from authoritative DNS servers Public DNS tools may return cached or non‑authoritative responses, which Azure AD does not trust. Run lookups against the authoritative name servers of your domain to confirm the TXT record is returned correctly. Example:
nslookup -q=TXT yourdomain.com ns1.yourdnsprovider.com
nslookup -q=TXT yourdomain.com ns2.yourdnsprovider.com
If the TXT record is missing or the query is refused, Azure AD verification will fail.
3. Ensure the TXT record is created at the domain apex (root) The verification TXT record must be created at the root of the domain. Correct configuration:
- Host/Name:
@ - Type:
TXT - Value:
MS=msXXXXXXX
Creating the record on www or any subdomain will not work, even though DNS checkers may still show the record.
4. Validate that the TXT value is not split or modified by the DNS provider Some DNS providers split TXT values into multiple strings or add quotes automatically. Azure AD requires the full MS=msXXXXXXX value to be returned as a single string. Use:
Resolve-DnsName yourdomain.com -Type TXT
to confirm how the TXT record is actually resolved.
5. Remove and re‑add the custom domain in Entra ID Azure AD can cache failed verification attempts. Remove the custom domain from Entra ID, wait briefly, re‑add it, and use the newly generated TXT value. Then attempt verification again.
6. Check for DNS security or firewall restrictions Ensure your authoritative DNS servers allow queries from Microsoft resolvers. DNS firewalls, rate limiting, or geo/ASN filtering can block Azure verification requests while still allowing public resolvers to work.