Add a domain to a client tenancy with Windows PowerShell for Delegated Access Permission (DAP) partners

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

You can create and associate new domains with your customer's tenancy with PowerShell for Microsoft 365 faster than using the Microsoft 365 admin center.

Delegated Access Permission (DAP) partners are Syndication and Cloud Solution Providers (CSP) Partners. They are frequently network or telecom providers to other companies. They bundle Microsoft 365 subscriptions into their service offerings to their customers. When they sell a Microsoft 365 subscription, they are automatically granted Administer On Behalf Of (AOBO) permissions to the customer tenancies so they can administer and report on the customer tenancies.

What do you need to know before you begin?

The procedures in this topic require you to connect to Connect to Microsoft 365 with PowerShell.

You also need your partner tenant administrator credentials.

You also need the following information:

  • You need the fully qualified domain name (FQDN) that your customer wants.

  • You need the customer's TenantId.

  • The FQDN must be registered with an Internet domain name service (DNS) registrar, such as GoDaddy. For more information on how to publically register a domain name, see How to buy a domain name.

  • You need to know how to add a TXT record to the registered DNS zone for your DNS registrar. For more information on how to add a TXT record, see Add DNS records to connect your domain. If those procedures don't work for you, you will need to find the procedures for your DNS registrar.

Create domains

Your customers will likely ask you to create additional domains to associate with their tenancy because they don't want the default <domain> domain to be the primary one that represents their corporate identities to the world. This procedure walks you through creating a new domain associated with your customer's tenancy.


To perform some of these operations, the partner administrator account you sign in with must be set to Full administration for the Assign administrative access to companies you support setting found in the details of the admin account in the Microsoft 365 admin center. For more information on managing partner administrator roles, see Partners: Offer delegated administration.

Create the domain in Microsoft Entra ID

This command creates the domain in Microsoft Entra ID but does not associate it with the publicly registered domain. That comes when you prove that you own the publicly registered domain to Microsoft 365 for enterprises.

New-MsolDomain -TenantId <customer TenantId> -Name <FQDN of new domain>


PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with Msol in their name. To continue using these cmdlets, you must run them from Windows PowerShell.

Get the data for the DNS TXT verification record

Microsoft 365 will generate the specific data that you need to place into the DNS TXT verification record. To get the data, run this command.

Get-MsolDomainVerificationDNS -TenantId <customer TenantId> -DomainName <FQDN of new domain> -Mode DnsTxtRecord

This will give you output like:


Text: MS=ms########

Ttl: 3600


You will need this text to create the TXT record in the publicly registered DNS zone. Be sure to copy and save it.

Add a TXT record to the publically registered DNS zone

Before Microsoft 365 will start accepting traffic that is directed to the publicly registered domain name, you must prove that you own and have administrator permissions to the domain. You prove you own the domain by creating a TXT record in the domain. A TXT record doesn't do anything in your domain, and it can be deleted after your ownership of the domain is established. To create the TXT records, follow the procedures at Add DNS records to connect your domain. If those procedures don't work for you , you need to find the procedures for your DNS registrar.

Confirm the successful creation of the TXT record via nslookup. Follow this syntax.

nslookup -type=TXT <FQDN of registered domain>

This will give you output like:

Non-authoritative answer:

FQDN of the registered domain


Validate domain ownership in Microsoft 365

In this last step, you validate to Microsoft 365 that you own the publically registered domain. After this step, Microsoft 365 will begin accepting traffic routed to the new domain name. To complete the domain creation and registration process, run this command.

Confirm-MsolDomain -TenantId <customer TenantId> -DomainName <FQDN of new domain>

This command won't return any output, so to confirm that this worked, run this command.

Get-MsolDomain -TenantId <customer TenantId> -DomainName <FQDN of new domain>

This will return something like this

Name                   Status      Authentication
--------------------   ---------   --------------
FQDN of new domain     Verified    Managed

See also

Help for partners