Confirm-MsolDomain
Updated: July 30, 2015
Applies To: Azure, Office 365, Windows Intune
Note
- The cmdlets were previously known as the Microsoft Online Services Module for Windows PowerShell cmdlets.
This cmdlet is used to confirm ownership of a domain. In order to confirm ownership, a custom TXT or MX DNS record must be added for the domain. The domain must first be added using the New-MsolDomain cmdlet, and then the Get-MsolDomainVerificationDNS cmdlet should be called to retrieve the details of the DNS record that must be set.
Note
Note that there may be a delay (15-60 minutes) between when the DNS update is made and when the cmdlet is able to verify.
Syntax
Confirm-MsolDomain -DomainName <string> [-ActiveLogOnUri <string>] [-DefaultInteractiveAuthenticationMethod <string>] [-FederationBrandName <string>] [-IssuerUri <string>] [-LogOffUri <string>] [-MetadataExchangeUri <string>] [-NextSigningCertificate <string>] [-OpenIDConnectDisoveryEndpoint <string>] [-PassiveLogOnUri <string>] [-SigningCertificate <string>] [-SupportsMFA <boolean>] [-TenantId <Guid>] [<CommonParameters>]
Parameters
-ActiveLogOnUri <string>
A URL that specifies the end point used by active clients when
authenticating with domains set up for single sign-on (also known as
identity federation) in Microsoft Office 365.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DomainName <string>
The fully qualified domain name (FQDN) to verify.
Required? true
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-DefaultInteractiveAuthenticationMethod <string>
Specifies the default interactive authentication method in the form of
a valid URI.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-FederationBrandName <string>
The name of the string value shown to users when signing in to Office
365. We recommend that customers use something that is familiar to
users, such as "Contoso, Inc."
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-IssuerUri <string>
The unique identifier of the domain in the Office 365 identity
platform that is derived from the federation server.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-LogOffUri <string>
The URL clients are redirected to when they sign out of Office 365.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-MetadataExchangeUri <string>
The URL that specifies the metadata exchange end point used for
authentication from rich client applications such as Lync Online.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-NextSigningCertificate <string>
The next token signing certificate that will be used to sign tokens
when the primary signing certificate expires.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-OpenIDConnectDisoveryEndpoint <string>
Specifies the OpenID Connect Discovery Endpoint of a security token
service (STS) of a federated identity provider.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-PassiveLogOnUri <string>
The URL that web-based clients will be directed to when signing in to
Office 365.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-SigningCertificate <string>
The current certificate used to sign tokens passed to the Office 365
identity platform.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-SupportsMFA <boolean>
Indicates if the STS supports the Wauth parameter
https://schemas.microsoft.com/claims/multipleauthn and can issue the
claim https://schemas.microsoft.com/claims/authnmethodsreferences
specifying multi-factor authentication has been performed.
Required? false
Position? named
Default value false
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-TenantId <Guid>
The unique ID of the tenant to perform the operation on. If this is
not provided, then the value will default to the tenant of the current
user. This parameter is only applicable to partner users.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".
Examples
Example 1
The following command attempts to verify the domain contoso.com. In order for domain verification to succeed, the appropriate DNS records must first be set up. The list of DNS records to set up can be retrieved using the Get-MsolDomainVerificationDns cmdlet.
Confirm-MsolDomain -DomainName contoso.com
Example 2
The following steps explain how to take ownership of a domain in Azure Active Directory, using Confirm-MsolDomain to confirm ownership as a final step.
Connect to Azure AD by running the following cmdlets:
import-module MSOnline $msolcred = get-credential connect-msolservice -credential $msolcredSpecify your domain, by using the New-MsolDomain cmdlet:
New-MsolDomain -Name <your-domain_name>For example:
New-MsolDomain -Name contoso.comThen run the Get-MsolDomainVerificationDns cmdlet to create a challenge:
Get-MsolDomainVerificationDns –DomainName <your_domain_name> –Mode DnsTxtRecordFor example:
Get-MsolDomainVerificationDns –DomainName contoso.com –Mode DnsTxtRecordCopy the value (the challenge) that is returned from this command.
For example: MS=32DD01B82C05D27151EA9AE93C5890787F0E65D9
In your public DNS namespace, create a DNS txt record that contains the value that you copied in the previous step.
The name for this record is the name of the parent domain, so if you create this resource record by using the DNS role from Windows Server, leave the Record name blank and just paste the value into the Text box.
Run the Confirm-MsolDomain cmdlet to verify the challenge:
Confirm-MsolDomain -DomainName <your_domain_name>For example:
Confirm-MsolDomain –DomainName contoso.com
A successful challenge returns you to the prompt without an error.
Additional Resources
There are several other places you can get more information and help. These include: