Microsoft Entra ID · Remaining Built-in Roles
Domain Name Administrator
Can manage domain names in cloud and on-premises including adding, verifying, and removing custom domains.
Scope: Custom domain management including verification, configuration, and removal
Permissions
- Full domain management
- Add new domains
- Remove domains
- Read domain properties
- Update domain settings
- Configure domain federation
- Verify domain ownership
- Add and verify custom domain names
- Configure DNS records for domains
- Remove domains from tenant
Common use cases
- Custom domain configuration for the tenant
- Domain verification and DNS setup
- Multi-domain tenant management
- Domain federation configuration
- UPN suffix management
- Email domain configuration
- Vanity domain setup
Best practices
- Coordinate with DNS team for verification
- Document all domain configurations
- Verify DNS propagation before verification
- Plan domain removal carefully
- Consider impact on user UPNs
- Use PIM for just-in-time access
- Test federation in non-production first
Security considerations
- Domain changes affect user identity
- Domain removal can impact authentication
- Federation configuration is security-sensitive
- Coordinate with Hybrid Identity Admin
- Audit domain configuration changes
- Alert on domain additions or removals