Microsoft Entra ID · Remaining Built-in Roles
Domain Name Administrator
Can manage domain names in cloud and on-premises including adding, verifying, and removing custom domains.
Scope: Custom domain management including verification, configuration, and removal
Permissions
- Full domain management
- Add new domains
- Remove domains
- Read domain properties
- Update domain settings
- Configure domain federation
- Verify domain ownership
- Add and verify custom domain names
- Configure DNS records for domains
- Remove domains from tenant
Common use cases
- Custom domain configuration for the tenant
- Domain verification and DNS setup
- Multi-domain tenant management
- Domain federation configuration
- UPN suffix management
- Email domain configuration
- Vanity domain setup
Best practices
- Coordinate with DNS team for verification
- Document all domain configurations
- Verify DNS propagation before verification
- Plan domain removal carefully
- Consider impact on user UPNs
- Use PIM for just-in-time access
- Test federation in non-production first
Security considerations
- Domain changes affect user identity
- Domain removal can impact authentication
- Federation configuration is security-sensitive
- Coordinate with Hybrid Identity Admin
- Audit domain configuration changes
- Alert on domain additions or removals
Common questions
When should I assign the Domain Name Administrator role?
Assign Domain Name Administrator when you need to: Custom domain configuration for the tenant; Domain verification and DNS setup; Multi-domain tenant management; Domain federation configuration; and UPN suffix management. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Domain Name Administrator role do?
The Domain Name Administrator role grants permissions including: Full domain management; Add new domains; Remove domains; Read domain properties; Update domain settings; and Configure domain federation. See the Permissions section above for the full list.
What are the security risks of the Domain Name Administrator role?
Key considerations when assigning Domain Name Administrator: Domain changes affect user identity; Domain removal can impact authentication; Federation configuration is security-sensitive; and Coordinate with Hybrid Identity Admin. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.