L1. Entra ID Tenant Configuration and Custom Domains
Video generating
Check back soon for the video lesson on Entra ID Tenant Configuration and Custom Domains
Learn the foundational skills for the SC-300 exam: configuring an Entra ID tenant, verifying custom domains, managing tenant properties, and understanding the relationship between tenants, subscriptions, and licenses that every identity administrator must master.
Entra ID Tenant Architecture
An Entra ID tenant is the dedicated identity boundary for your organization. When a company signs up for any Microsoft cloud service (Microsoft 365, Azure, Dynamics 365), a tenant is automatically provisioned. Every user, group, application, and policy lives inside this boundary.
For the SC-300 exam, you need to understand that a tenant is not the same as a subscription. A single tenant can have multiple Azure subscriptions and multiple Microsoft 365 licenses attached to it. The tenant is the identity layer; subscriptions and licenses are resource layers.
Custom Domains
Every new tenant starts with a default domain: yourorg.onmicrosoft.com. To use your corporate domain (e.g., contoso.com), you must add and verify it.
Verification process:
- Navigate to Entra admin center > Custom domain names
- Add the domain name
- Create a DNS TXT or MX record at your registrar
- Wait for verification (can take up to 72 hours)
- Set as primary domain if desired
| Record Type | Purpose | Where to Add |
|---|---|---|
| TXT | Preferred verification method | DNS registrar |
| MX | Alternative verification | DNS registrar |
Tenant Properties
Key tenant properties you can configure:
- Tenant name and technical contact: Basic organizational metadata
- Global privacy statement URL: Required for some compliance scenarios
- Country or region: Determines data residency; cannot be changed after creation
- Notification language: Controls the language of system-generated emails
Tenant-Level Security Defaults
Security defaults provide baseline protection for tenants that do not have Conditional Access. When enabled, security defaults enforce:
- MFA registration for all users
- MFA challenges for administrators on every sign-in
- Blocking of legacy authentication protocols
Security defaults and Conditional Access are mutually exclusive: you must disable security defaults before creating Conditional Access policies.
Managing Multiple Tenants
Large enterprises may operate multiple tenants for regulatory, geographic, or organizational reasons. Cross-tenant access settings allow you to configure B2B collaboration and B2B direct connect between tenants. This is configured under External Identities > Cross-tenant access settings.
- ✓A tenant is the identity boundary; subscriptions and licenses are separate resource layers attached to it
- ✓Custom domains must be verified via DNS TXT or MX record before they can be used for user UPNs
- ✓Tenant country/region determines data residency and cannot be changed after creation
- ✓Security defaults and Conditional Access are mutually exclusive: disable defaults before creating CA policies
- ✓Cross-tenant access settings control B2B collaboration and B2B direct connect between multiple tenants
1. What must be completed before users can be assigned a UPN with a custom domain suffix?
2. What happens when you enable security defaults on a tenant that already has Conditional Access policies?
3. Which tenant property cannot be changed after initial creation?