Help! MS365 admin page is not adding domains properly
Posted by BalmoralMontrose@reddit | sysadmin | View on Reddit | 13 comments
I have members of my team add domains via MS365 admin console and it will add all the MX records and such to GoDaddy. This stopped working today, the web page jumps from acknowledging ownership to "complete". But never sets up DNS and never provides the DNS settings to do things manually. I called support and they "assured me" that it's an outage. I asked for the outage number so that I can track it and I got crickets. He told me he'd watch it for me, it's not a problem. It's just an outage.
Thing is I have upset customers. So I kind of need a work around. I assume there's some sort of pattern to the DNS settings? Does anyone have a PowerShell script or know of a guide that isn't Microsoft's poorly documented and often wrong KnowledgeBase (which just points me back to this broken system, or functionality that doesn't exist).
Hoping one of you sysadmins out there just sort of know this stuff off hand.
thmeez@reddit
you can manually checkout the graph explorer then get records using: List serviceConfigurationRecords - Microsoft Graph v1.0 | Microsoft Learn
after that you can add dns records
BalmoralMontrose@reddit (OP)
Missed this before I posted a longer set of instructions but that's essentially the solution. What a PIA.
BalmoralMontrose@reddit (OP)
u/saltyslugga was pretty close to correct but I found the answer was the GraphAPI via PowerShell. Here's the commands:
The last command there will fail
But then
This brings back a list with values like
You basically need the MX record, the SPF record, the CNAME autodiscover.
Then I went to the webpage to verify my site. That worked. But then skipped the domain setup when I told it I want to add the DNS settings myself. 10 minutes later? I received an email saying a new domain was added.
That's what worked for me.
saltyslugga@reddit
The MX pattern is
yourdomain-com.mail.protection.outlook.com(replace dots with dashes in the domain name). Autodiscover is a CNAME toautodiscover.outlook.com. SPF isv=spf1 include:spf.protection.outlook.com -all.For DKIM you have to enable it in the Defender portal after the domain is verified, it gives you two CNAMEs (
selector1._domainkeyandselector2._domainkey) pointing to tenant-specific targets.Get-AcceptedDomain and Get-DkimSigningConfig via Exchange Online PowerShell will pull anything tenant-specific you need.
BalmoralMontrose@reddit (OP)
I'm pretty sure this is close to correct, but EOP gets in the way.
foo-com.mail.protection.outlook.com is what you'd expect
but it needs to be something like
foo-comXX.mail.protection.outlook.com where XX is a generated hex for uniqueness.
Every documented solution says for EOP you need to use the domains admin page. I feel like there has to be a trick with PowerShell, but my Google Fu is failing me.
TheBananaTurtle@reddit
Same here too. Got an open ticket.
jibaboom8@reddit
I got the same issues as well. reported to Microsoft too.
trebuchetdoomsday@reddit
you're putting customers on GoDaddy?
BalmoralMontrose@reddit (OP)
I inherited this process. I’d go namecheap if I had my way.
Supersmarsh@reddit
I'm experiencing the same issue. Reported to Microsoft earlier today.
Verification record was fine. Continuing setup to manually access the DNS records jumped me straight "Domain setup is complete"
LesPaulAce@reddit
Go to the Godaddy DNS management and add the values manually. The manual entries you need are listed in your tenant.
BalmoralMontrose@reddit (OP)
I had the same thought. Except the DNS settings aren't present there.
St0nywall@reddit
Did you ask to speak to their manager?